BTH News 26June2020
This Week In Cybersecurity
This week on Between the Hacks, Netgear vulnerabilities, U.S. police data leaked, Lucifer malware targets Windows, 80% of people don’t delete data from their car before selling, and find out if your accounts have been part of a data breach.
Netgear Vulnerabilities
This week, Netgear, a company that makes small office/home office (SoHo) networking equipment like routers, issued a security advisory notification after they became aware of vulnerabilities involving the Remote Management feature in certain NETGEAR products.
Negear has released hotfixes for some of the vulnerabilities and as of 6/26/2020, they are still working on creating additional hotfixes for the remaining vulnerabilities and models.
The Remote Management feature is disabled by default but if you have a Netgear product, it's worth checking to make sure this feature is disabled. You can find instructions in the Netgear Security Advisory Notification.
This situation shines a light on a very real problem with many consumer-grade networking and IoT products. The problem is that they lack an automatic update feature. Netgear is advising that their customers download and install the latest hotfix, but how many of their customers will even learn about this vulnerability and the existence of the hotfixes? As with many home routers and IoT devices, there will likely always be vulnerable systems on the Internet because the end user is being given the responsibility of knowing about, and installing a patch. If you own a home router that does not update automatically, I strongly recommend replacing it. This is the device that is protecting your home or office from constant Internet attacks but without security patching, your router and your whole network are vulnerable.
BlueLeaks: Police Department Data Published Online
Last Friday, an activist group named Distributed Denial of Secrets (DDoSecrets), published almost 300 GB of data that they claim has been stolen from law enforcement agencies and fusion centers, according to ZDNet. The data dump, dubbed “BlueLeaks,” includes 24 years of data from over 200 US police departments, FBI reports, and other law enforcement agencies.
KrebsOnSecurity obtained an internal June 20 analysis by the National Fusion Center Association (NFCA), “which confirmed the validity of the leaked data.” The NFCA analysis also warns that leaked files include emails with associated attachments and "highly sensitive information" such as bank account routing numbers and other personally identifiable information, as well as images of criminal suspects.
DDoSecrets co-founder Emma Best tells WIRED that the data came from a source claiming to be from the hacktivist group, Anonymous. Best also stated, “It’s the largest published hack of American law enforcement agencies,” and “It provides the closest inside look at the state, local, and federal agencies tasked with protecting the public, including [the] government response to COVID and the BLM protests.” according to Wired.
Best also admitted that the DDoSecrets group had not properly redacted all of the information about crime victims, children and unrelated private businesses. The result of the disclosure and failure to redact properly has resulted in DDoSecrets being permanently banned from Twitter, according to Graham Cluley of Bitdefender.
Lucifer Malware Targets Windows
An evil new strain of malware is targeting Windows systems with a trove of exploits and DDoS capabilities.
Palo Alto Network’s Unit 42 researchers disclosed, “On May 29, 2020, Unit 42 researchers discovered a new variant of a hybrid cryptojacking malware from numerous incidents of CVE-2019-9081 exploitation in the wild. A closer look revealed the malware, which we’ve dubbed ‘Lucifer’, is capable of conducting DDoS attacks and well-equipped with all kinds of exploits against vulnerable Windows hosts.”
While there are patches available for all of the exploits used in the Lucifer malware, impacted victims have clearly not installed all of those patches. Threatpost reports, “The never-before-seen malware initially tries to infect PCs by bombarding them with exploits in hopes of taking advantage of an “exhaustive” list of unpatched vulnerabilities”.
The Lucifer malware is capable of self-propagation and already has an update. Latesthackingnews.com reported, “The Lucifer v.1 performs cryptojacking, DDoS attacks, brute-forcing credentials, and self-propagation. Whereas, Lucifer v.2, in addition to these capabilities, also exhibits anti-sandbox and anti-debugger functionalities.
The best way to defend against this malware is to ensure all Windows patches are up to date and use strong passwords and MFA to prevent against rainbow table attacks.
80% of Drivers Don’t Delete Data before Selling their car
Modern cars are computers on wheels. This computing technology allows drivers to connect their smart phones to the in-console display and safely listen to their own music, navigate their drives, voice-text, and talk on the phone in a safe, hands-free manner.
According to a recent survey from Which?, 80% of drivers have not removed personal data from their car’s computer before selling that car. “Between December 2019 and February 2020, the consumer advisory group surveyed more than 14,000 individuals who had sold their car in the previous two years, exposing concerning behavior” wrote Bitdefender.
When pairing a smart phone to a car, there is a lot of data that can be transferred to the car. “The sensitive information these motorists are freely handing to the people who buy their cars includes their full phonebook contacts list and numbers, home addresses and even wifi for their homes” reports MSN.
To learn more about the Which? survey, watch the video below.
TIPS:
Also remember to delete all of your data from rental cars. It is convenient to sync your data to a rental car and much safer than trying to hold your phone as a navigation tool while driving in an unfamiliar location but always remember to delete that data before you return the car.
Kim Komando shares five ways that you can clear your personal data from a car.
Tip of the Week
Have I Been Pwned?
NOTE: “pwned” is pronounced pōned and rhymes with owned.
This week’s tip is a very valuable one. In late 2013, after the Adobe data breach, Australian cybersecurity expert, Troy Hunt, created the free web service, HaveIBeenPwned (HIBP), “as a free resource for anyone to quickly assess if they may have been put at risk due to an online account of theirs having been compromised or ‘pwned’ in a data breach.”
What does “pwned” mean? In this context, it basically means that an account has been hacked or compromised. The etymology of the term is an interesting story that you can read about here.
By using the HIBP website, you can see if your email address and an associated password has been publicly shared as part of a data breach. Last week, Hunt released a new version of HIBP that now contains 572,611,621 known, compromised passwords so if you have accounts on the Internet, it’s likely you will be in there.
As an individual, you can go to haveibeenpwned and enter your email address, hit enter, and you can see if, and which data breaches shared your account credentials.
The next great feature of this site is the “Notify Me” option. By choosing this, you can have HIBP send you an email anytime it sees your email in future data breaches.
If you happen to be someone who owns one or more domain names, HIBP has another cool feature for you. Choose the Domain Search option and you can enter your domain name (e.g. betweenthehacks.com). You will need to verify that you own the domain name, but after that you will get a list of all the email addresses and breach information for your domain name and you will get future reports as new breaches are added.
If you are nervous about using this service, rest assured that this is a highly recommended site by many paranoid cybersecurity professionals and many companies and U.S. government agencies also use this service. Remember, all it is doing is letting you know if your account credentials were publicly shared on the Internet.
If you want some more background on this free service and to hear about it straight from Troy Hunt, himself, check out this 2015 interview by Shannon Morse from Hak5, below.