Secure With Celerity Episode 5
DAVID TAYLOR [00:00:10] Hello and welcome to Secure with Celerity, the show where we digest the week’s top cybersecurity news stories. I’m your host David Taylor. My co-host joining me is the fire to my wall, Mr. Joshua Read. So fist story is we’re going back to the EasyJet cyber security database of 9 million records. But today we’re talking about the fact that as a group class action lawsuit against them to the tune of 18 billion pounds even, which is not going to be enjoyable for on top of everything else. And that’s not even included at the ICO. So what have you got on this one, Josh?
JOSHUA READ [00:00:51] Yeah. So on May the 22nd, PGMBM filed a claim high court of London, on behalf of the victims of the data breach. There was mainly around Article 82, part one of GDPR where affected customers have the right to receive compensation for distress or inconvenience, annoyance or misuse of personal data, which is very understandable. There was a lot of people’s information breached in this data breach. And I’m not surprised at all that this this legal group have taken action. So basically a Robin Hood type of lawsuit by PGMBM it’s a no win, no phase type of situation. It’s completely separate to ICO’s GDPR fines of sanctions that they’ll take. This is the same firm that was the steering committee on the VW, Volkswagen and Mercedes emissions scandal, which is earlier in the decade. And I think PGMBM would take a nice healthy cut of 5.5 billion if it all goes so well. I’m not surprised this has come to fruition, it’s no surprise that they’re gonna take action. There’s a lot of information that was breached in EasyJet breach and the whole legality and process around notifying their users has been questionable at best. It’s I think what the main interesting thing here is still going to be the process which GDPR is gonna take, especially with COVID-19 happening at the moment have been rumours that GDPR sanctions and the regulations and the process around GDPR is gonna be relaxed a little bit. Whilst COVID-19 is taking place obviously due to reduced resource and capacity and that sort of stuff. But there was an interesting article by Seth Rosenblatt who suggested the EU is given more breathing room to talk in terms of remedy to violations. Does not, I’m not sure if EasyJet will fall into this breathing room. GDPR so breathing room. If you know what I mean. Obviously, the breach. Suppose they happened in January. There has been suggestions that this breach could have dated back to November last year. It’s a lot of people’s information that isn’t that amount of information, the volume of information that they that was stolen doesn’t happen overnight. It’s you know, you don’t in the real world. You don’t jump onto a server or a database and extracts 20 million people’s intimate, you know, email addresses, passwords, whatever was stolen. That volume of data is goinna be quite substantial and isn’t goinna happen overnight. So, you know, it’s probably why they’ve said it’s been such a sophisticated attack. And I disagreed with them coming out and saying it was a sophisticated attack. TalkTalk did exactly the same. Last 2016. And that turned out to be a very bog standard sequel injection attack carried out by a one person team. And that one person was a teenager. So sophisticated they use of sophisticated is frowned upon. I wouldn’t call it sophisticated at this moment time till they release, you know, release the information. But I think the odd thing about all of this as well is that there was talk of credit card CVV details that had been breached in this and if EasyJet were following regulations, they shouldn’t be holding onto that credit card CVV details, which a lot of people have suggested it’s leaning towards a similar attack towards British Airways fell fall, which was like a match cut, credit card skimming attack on the website. So it wouldn’t surprise me if it was a multitude of attack types. But there are still no details going forward on this. Again, this lawsuit coupled with the find the GDPR will bring on them. It’s not gonna be pleasant at all. It’s going to be very harmful to both the British economy and also the organisation as well. Well, yeah, I think the details that the EasyJet released to the customers were questionable as well. One on the left was the one that was released to those that had their credit card details on debit card details stolen. And it’s questionable at best. I think in the cyber security world, we always talk around, you know, don’t read in, do you know, be wary of emails that are very vague, i.e. customer. And the first thing is on those on the email, dear customer on both of them as well. I think the second ironic thing that I picked up on as well was, you know, contradictive statement in paragraph two. I went to write to me personally and I almost forgot that my first name was customer.
DAVID TAYLOR [00:07:12] I think it’s, you know, this day and age, you know, even the most basic of CRM, which I know EasyJet wouldn’t have, would give you a lock and platform that you could send an email to personalisation and let’s just go with the customer.
JOSHUA READ [00:07:26] Yeah. And especially in the the of the severity of things and the volume of things as well. You know, it doesn’t sit very well with me that, you know, and the word reason is also taken with a pinch of salt as well. It’s not raised in a recent cyber attack would have been yesterday. This happened in January. And there’s also suggestions that a happen it can date back to Novembe 2019, you know, and the sheer volume of data that was stolen wouldn’t have been stolen overnight as I said before. They also mentioned the fact that it was a sophisticated attack. I disagree with that as well. They shouldn’t have said it was a sophisticated attack until they released the attack details so that, you know, I didn’t come back and bite them and people when the cyber security world say that that really wasn’t a sophisticated attack and they should have been able to stop it.
DAVID TAYLOR [00:08:28] Lack of transparency is going to make it look at worst. But, you know, it’s they’re in a bad place. So, like you said, if it comes out later on that it’s a teenager in the bedroom doo=in it. Yeah. Yeah. Could be. Could be worse.
JOSHUA READ [00:08:44] I think the one thing I have liked about the ways you have dealt with this is how they’ve come out and spoke around phishing. They’ve sent numerous emails to those affected, warning them that they may be subject to phishing attacks because of the fact that the details have been stolen and these breaches. It’s not something that is commonly seen. Well, it isn’t it isn’t. There’s different ways that companies do it in data breaches. But there has been a particular focus and emphasis on warning customers that that data has been stolen and that they may be included in new phishing attacks where the data was sold on the darkweb as it is in the next story that we cover. Well, again, watch this space. It’ll definitely be a very interesting story when it’s released, how this attack was put out, how it was the attack may get itself on EasyJet. Definitely interesting to find out how it happened. And it would be a big shoot yourself in the foot if they fell victim to the exact same type attack type that British Airways fell victim to. Well, again, we’ll have to see wait and see what happens with this one.
DAVID TAYLOR [00:10:06] Definitely for. Well, we’ll keep an eye on that one. So our next story revolves around Live Journal is a blogging platform and bit of a long story, which I think we’re going to go through quite a lot details of it. But I guess the crux of it is 26 million of that customer accounts were compromised. And I think they still haven’t come out and said that they have. So I think people are finding out on, say, the dark web marketplaces. And we’ll go through it. But think he said 2014 was the first rumours that there might have been a data breach.
JOSHUA READ [00:10:44] This is a really awful. So the blogging platform, Live Journal appeared back in 2014 to have a data breach. There’s been various reports over the last six years of users saying that user names, email addresses and passwords and specifically only being used on the live journal platform had appeared in sextortion attacks and phishing attacks. And they know for a fact that they were only used on that Live Journal platform. I think there’s been various different reports across the U.S. and rumours and there’s rumours of like general security breach. I’ve been circulating online from us two years after they add up and possibly especially the last two years. The earliest talks appeared in October 2018, when, again, those multiple users being included in sextortion attacks in campaigns and Dream With which was a blogging platform which forked off from the Live Journal, could best almost like a spin off version of Live Journal. They were voicing their concerns as well. They said that they’ve been targeted with multiple credentials stuffing and brute force attack attempts using the credentials that were breached in the the Live Journal breach. I think the Rumbo Group, the group which is responsible for Live Journal, has declined to formally acknowledge a breach, which I find very odd. And its previous communications with Dream With administrators. So Dream With have gone to LiveJjournal and said, look, you platform’s been breached. We’ve got this, this, this and this as evidence. And they’ve gone around and went no, we’re not accepting it, have I been pawned the well-known database Index in Fall data breaching announced that it received a copy of Live Journals using their database and index data on its own website. So those that believe that they have been breached can go to have I been pond and check? I think since then, I think once they removed once, have I been prone to removed all that jupiter entries. There was 26,372,781 Live Journal users that were breached. Well I think the first mentioned that Live Journal database breach came broadly available. The first available database dataset was available back in July 2019, which was available on the now defunct data breach index in service, we leak info and they announced that they had a copy of the database which was added to that service. Recent sightings of appeared on the Dark Web marketplace, the Live Journal Database with the list dates for sale, lowly price of 35 dollars. But, you know, it was shocking, to be fair, that if you can get a list of 22 million users for 35 dollars, that is incredible. If I’m honest from an point of view. Well, to posts sharing the links, the data dome content, email addresses, usernames, profile urls and passwords. Now to attacker, profile, URLs aren’t specifically useful, usernames, email addresses and passwords are, especially when passwords were converted from ande five hashes to clear text. So there was basically sitting there in clear text and that can be used and brute force attempts on other platforms. Email addresses can be used in further spam and phishing campaigns. It’s a never ending thing but the essentially Live Journal data is being handled, well, they passed around like trading cards in the school playground. So it’s yet another reason why you shouldn’t really use the same password across multiple platforms. And if you really want to be savvy hygenic. Don’t use the same email across multiple platforms. I think there was evidence that users. Obviously, as I said before, users were able to identify the breach because they knew that they used a unique key email address and password and then subsequently were involved in sextortion and phishing attacks. It’s you know, if you can identify an email address to a specific platform and a password to a specific platform, you know that, you know, that could potentially have been an abrasive they haven’t listed or made public. So, yeah, it’s a complicated story and an old one. And I think there’s elements of this. Something doesn’t quite add up, especially from the Live Journal point of view. Like Dream With that being quite open about it all. And have I been kind of basically called their bluff and put that the combined index, that database and put it on their website so you can check to see if your data has been stolen but yeah it’s interesting to say the least.
DAVID TAYLOR [00:17:09] Would you find that maybe like some of these customers would be UK based or Europe based, and would they then therefore fall on the GDPR in terms of potential fines?
[00:17:19] It’s an odd one because I’m GDP GDPR has only come in in the last couple of years. This the rules around historical breaches and those are very great. This happened supposedly back in 2014. And to avoid GDPR sanctions and regulations, if I was live journal or Rambla group, I would be making it really, really obvious that it happened back in 2014 just to avoid GDPR sanctions. Well, again, this is a developing story and it would definitely be interesting to see what the developing developments are over the next couple of years. Live Journal is not something I’ve been really aware of. I’ve not heard of it but if it’s got 26 million users, maybe, yeah, that’s quite a lot of users and it’s also quite impactful if it’s been breached. So, yeah, it’s what we’ll have to keep our eye on it and see what happens.
DAVID TAYLOR [00:18:28] Definitely. We’ll watch this space. So our next story is about StrandHogg 2.0, which is essentially the update, its critical book from last year, which is on the Android apps, which allows them to hijack them, basically create a fake app icon on your phone as such. And when you click onto it and take it to them like a fake page, I ask you to open your details can take you know, if you’ve got a bank account, you could then put your bank in details. So quite hard to spot. But I think there was some indications that if you phone was so you click on your email application and you already signed in and they ask you for a log in details again, that could be a sign that you’ve got this critical bug and someone’s on your phone. But if you got some more details on this.
JOSHUA READ [00:19:21] Yeah. The this one is responsibly disclosed to Google’s and the you know, the story around it is quite boring because it’s been responsibly disclosed. You know, I do like one irresponsibly disclosed an interesting story. Yeah. They’re the ones where the developers are flapping and trying to fix it as quick as I can because the researchers published published on Twitter or various different platforms. But essentially, this was responsibly disclosed to Google back in December last year. They’ve now fixed it as of Android 10 and may security update in Android. Well, essentially, if you run an Android version 9, you potentially vulnerable to this. It basically masquerades itself as a different app, including the icon. We’ll take you to a separate in page, which is the attackers log in page when you click on open the app. And it can also sniff your G.P.S., data, images, loggins, sms messages, emails, phone logs, etc.. Anything that’s stored on your local device, it can be viewed. If I’m honest, there hasn’t been a lot of proof of concepts. I’m not sure if this has been fully weaponized as of yet. I think it’s just a vulnerability but if it wants to be weaponized. Be sure to definitely update your android because by hack it’s going to be hard to track and it will be quite painful if you fall victim to it. I know I have a lot of questionable apps on my mobile just for fun. But yeah, if one of them was sniffing that information, I’d sure as hell know about it. But yeah, it is quite a scary concept, especially mobile malware is something that hasn’t really been paid attention to. There is a lot of apps out there that can protect you, Virus told, McAfee. All of those various different tools that can protect mobile. Well, in terms of malware, I think the precedent at the moment is definitely a sort of laptop and points rather than mobile endpoints. But it I think I think a may shift towards mobile in the coming years. This definitely a sort of focus at this moment in time on mobile best malware and vulnerabilities. Is has got a lot of attention, this trend hawk malware and this vulnerability flaw as well. So it’s yeah. It be interesting to see where this one goes. Be interested to see if it’s weaponized in any way as well. A lot of times these probabilities are given a really fancy name and then nothing comes of it and no one manages to weaponize or weaponize and exploit to it. Well, yeah, I’d be I’d be updating Yaara Android devices to the latest version and security patches as much as possible if I were you.
DAVID TAYLOR [00:22:41] I mean, who knows? They might get a StrandHogg 3.0 next year. Unto our final story, which is the Google reports of government backtracking on this information. So this is that Google tag bulletin for first quarter tag being threat analysis group. I think it’s what this report tells you all the stuff, all the work that they did, operations to stop the spread of misinformation, which is generally being some sort of state backed groups.
JOSHUA READ [00:23:17] They are very interested in these reports. I do like reading these reports, I think. I have to say bravo to Google. They’re very open with their information that they provide. I think the main thing that they Google analyst brought to fruition was the fact that, you know, that obviously there was these of state sponsored operational misinformation account attacks, both campaigns first. Well, yeah, there’s a lot that go that has gone on over the lot, the first quarter of 2020. Shinheung, he said, we’ve seen new activity from hack for hire firms based in India. It would create, in fact, Gmail account spoofing the World Health Organisation. Probably not a surprise at this current moment in time. We’ve covered previously how people are weaponized and COVID-19 into cyber threats. Well, again, he went on to say that the accounts have largely targeted business leaders in financial services, consulting and health care corporations within numerous countries, including the US, Slovenia, Canada, India, Bahrain, Cyprus and the UK. So it is quite a broad span spectrum of attack coming from India. Well, again, it’s an intriguing lure. He says that the email lives that was sent in the campaigns to urge individuals to sign up for direct notifications from the World Health Organisation. Again, it’s a lewer that everyone wants a very topical, very congruent to the every single individual on the Earth at this moment in time. We’ve covered it previously. But again, it’s COVI-19 related emails linked to the attack US hosted website, which resembled an official World Health Organisation website but featured fake blogging pages that collected potential victims. Google’s credentials and sometimes most such as phone numbers. I think they went on or in the report to talk about the work that they’ve done around sort of group coordinate misinformation campaigns. So in some of these are state sponsored and some of these are quite worrying. And it also spreads the awareness of misinformation. I’m a big hater of misinformation. I hate the guts of it. I even hate corporations doing it. I hate individuals reading the misinformation. It annoys me greatly. And in January alone, Google terminated three YouTube channels as part of coordinated influence operation linked to Iran. They said they linked to a campaign. Iranian state sponsored International Union of Virtual Media news organisation, which was spreading content covering Iran strikes into Iraq and US policy on oil, which is quite a big who ha back in January, you know, the whole US, Iran debacle before COVID-19 is quite difficult to remember seeing as the COVID-19’s…
DAVID TAYLOR [00:27:02] It’s sort of assassinaton wasn’t it?
JOSHUA READ [00:27:03] Yeah. It just shows that, you know, the state sponsors, the state actors that weaponized social media spread informant misinformation. Don’t believe everything you read, read into it stuff a little bit more, read around the topic. But again, in February, Google said that they terminate is one advertising account in 82 YouTube accounts that were based that were being used to coordinate influence operation linked to Egypt. They also said that the campaign was used for sharing political content in Arabic, which was supportive of Saudi Arabia, United Arab elements, Egypt, Bahrain, and was critical to Iran and Qatar. They also found evidence of this campaign being used, been linked to a digital marketing firm, New Waves based in Cairo. So it’s a deep nested problem. I think Facebook also took action against these campaigns. And there’s also evidence of Twitter taking action in some of March’s campaigns. Well, March was a very, very, very busy month. I think they the amount of YouTube accounts, absence since accounts, Google Play, developer accounts and anything else that have been actioned in March is phenomenal. I can say the word phenomenon. They all linked back to government related. Sort of day interest stories, those types of areas. It might be good to for those who are interested to read into it. I think we’ll post the link into the report. I think Twitter terminated around 8000 accounts that were submitted well around the Serbia route and Pae and all of the shenanigans that are ongoing in Serbia. This story’s in to COVID-19 related stuff with China. It’s the amount of work that must be carried out. And the analysis that is carried out is ridiculous to bring that many down. And also keep an eye on that many accounts. Yeah. So ever tips to Google for making this information public? So, yeah, I that’s…
DAVID TAYLOR [00:29:44] Yeah, it’s crazy, it’s like. And it’s interesting to see this as sort of, you know, it might not necessarily be a cyber attacks, ddaas attacks, anything like that. But, you know, having these sort of propaganda really isn’t that it’s all these, you know, tactical weaponized digital lock. And I guess especially with the Cairo digital marketing company being the source of some of it. And it’s about wasn’t that restless cause of unrest in these countries. And that I guess that’s that’s what they want to do, especially some of the Middle Eastern ones, you know, talk about U.S. policy on oil and things like that.
JOSHUA READ [00:30:17] It’s weaponized information. You know, some of the information that there’s been sort of dilute it and changed in ways and pushed through these social channels is can be is essentially weaponized because it’s swaying the opinions and views of the general public of those that are involved in those countries. And for me, there is nothing more powerful than social media at this moment in time. If you can sway the general public to think one way or another, it’s, you know.
DAVID TAYLOR [00:30:56] Looks like a Brexit because you know the Cambridge Analytica. You know, they used to use that data and then sort of sway the votes one way or the other, you know, with the elections back then. Well, I think that’s all we’ve got time for. Josh, thanks again. Thank you. We’ve got some interesting stories there. I think few of them will definitely have to keep an eye on for future weeks. Hopefully next time we will pray to the Internet gods and get a bit of a cleaner start. But thanks fot your time Josh and everyone else. Thanks for watching Secure with Celebrity at your weekly cyber news roundup. Have a nice week. All the best. See you then.