Secure with Celerity Episode 10
DAVID TAYLOR [00:00:19] Hello and welcome to Secure With Celebrity. The show, we take the week’s top cyber security new stories and try and digest them with about 30 minutes. So I’m joined with my cyber security experts, we ggot Steve Laidler and Josh Read. How’s it going, guys? Not too bad. Not too bad today, but all good. So let’s kick off with our first story, which is about the REvil ransomware operators have threatened to leak the files that they say they’ve stolen from the Australian firm Lion, which is a dairy and alcohol conglomerate. And as part of the Kirin, which is the Japanese brewery. So I think with this guys, it was mainly last month they reported that they’d had a cyber attack, but they said that nothing data was stolen. It was just a case of. I guess that the factory of production has stopped but back online now. But the ransomware operate as a side note. We’ve got you. You’ve got your files. And here’s a screenshot to prove it.
JOASHUA READ [00:01:23] Nice ones. They’re almost calling them bluff. It’s a very awkward second to be. And I wouldn’t like to be in that position. You know, not knowing that because they’re claiming that they have that data, then obviously it’s a worry. And time will mean that the infection took place back in June, around the 9th. And it was the Breville runs from miles of components and such can be called. And it’s got a funny name, but it’s essentially ransomware. The cyber attack caused a delay in production of beer, which everyone is going to be upset about.
DAVID TAYLOR [00:02:04] Biggest the biggest crime today.
JOASHUA READ [00:02:07] Especially in the Australia-Asian region. Well, yeah. You know, it’s ransomware in response to the attack. The Australian government shut down some of its manufacturing companies, already shut down some of its manufacturing sites. And I think still some of them are yet to resume production. And the complaint also stayed in phone customers about the incident and have warned of possible temporary shortages of his beer, which is not great. I think Lion came out and said that our investigations today shun the system outage has been caused by ransomware. Ransomware targeted our computer systems. In response, we immediately shut down the key systems as a precaution. It’s standard stuff done by Lion, a lot of times, people just turn everything off in a panic to make sure that it doesn’t spread sideways or it doesn’t shut down some key components, especially on like a factory and manufacturing process. The certain ways you’ve got shut them down otherwise. It’s a nightmare starting them back up. More interestingly, though, with this one is how line sent that no data has been stolen. Now, for me, that’s a dangerous move, especially after another story came up around this rival hacker group have released a eBay like selling platform where fellow hackers can bid on stolen data. It’s quite interesting. I think the analysis that was carried out by the research team on this eBay like betting site there was bid started around 50,000 dollars. Or if you wanted to do the old buy it now, you could play the, as they termed blitz price of a 100,000 dollars. Now this is dependent on the data set has been sold. How valuable is it? Obviously a given entity of that site is going to be more valuable than the likes of a semi or medium sized organisation. That doesn’t really offer much in terms of the reward if its debt is breached. I think the victims of that sale included the US food distributor. The US law firm. And there was also intellectual property law firm as well. There are quite substantial debt sizes in terms of what was being sold was one point two terabytes a day. There was fat 50 gigabytes, and that size of region. The prices, they didn’t differ much. Obviously, the government entity, the US intellectual property law firm, they had starting price 1 million dollars and then doublets price at 10 million dollars. So obviously, it’s different for each data set, but it’s yet to be confirmed large on the platform at this point in time, there’s nothing yet to confirm or deny. It’s interesting that will probably crop up in the news in the coming days. Interesting to know if. A, they have managed to compromise data, and B, they’re now using this new eBay like platform. Isay, eBay like in inverted commas with a pinch of salt. It’s not eBay and it’s far from eBay. It’s essentially resembles the same principles of eBay. Its sole purpose is to sell, you know, because they have personal identifiable information. Do you know anything that’s a value to hackes.
STEVE LAIDLER [00:06:12] It’s like an auction platform, isn’t it? I mean, I guess one of the other things that’s interesting is, you know, who or which party values the data more. Yeah, that’s opposite. What the what value does the data have. But also know what is the perceived monetary value of the data as well. So it’s a case of is it is it is it more is the value greater to lie and to protect it and to get the data back? Or the fact that it is put on to some sort of auction platform, you know who. And then also which party then thinks that data has great value to them in terms of what they can then do with it going forward. And the fact that they have almost a buy it now can concept, you know what if the data appears to have greater value? You can then basically swoop in and buy it at a premium price. And presumably people are looking at the data and assume, you know, and assessing its monetary value in terms of its future, what they can do and what revenue, what they can generate from it going forward. So whether their actually evaluating the value of the data for monetary value when the gains that can be made.
DAVID TAYLOR [00:07:32] I think is it. And so lying could go on and I guess auction, if they do believe it’s that data, they could then go on and get for it. But I guess there’s nothing to stop. You know what? It’s both them. They’re not saying they’ve got the one and only piece of data that gets them excited. Criminals are still got a copy of it.
JOASHUA READ [00:07:52] And this s what’s worrying is, you know, essentially if you go a copy of data, there’s nothing stopping you. You know, you get 30 times and then start in 30 different auctions. If you can, you know, auction the data of several times, then you’ll making a lot more money than you would if you were just selling the data set as a whole. If you basically put in a competitive edge on selling your data, you know, you’re almost put in hacker groups against each other for the rights that all the access to that data. It seems an odd concept. But essentially, if they’re making money, then it’s a worrying sign. You know, something like I mean, we’re all aware of how successful eBay’s have been. You know, in the earlier… no one had heard of eBay. All of a sudden, this auction site came up and now it’s one of the largest conglomerates, bidding type selling, obviously, their quote versatile edge their way in terms of the buy it now redistribution areas, but in terms of bidding and it still remains at the heart of eBay. So, you know, who knows how successful this is going to be. And I think over the coming months, what’s going to happen with this? It’s gonna really set the scene for the next couple of years in terms of, you know, how how are selling data?
DAVID TAYLOR [00:09:20] Definitely will. We’ll keep an eye on it, and I’m sure this won’t be the last story we cover moving forward. So moving on to our next story, guys. It is about the e-learning platform exposes personal affirmation of over 1 million North American students. This is a leaky databases.
JOASHUA READ [00:09:36] It’s quite a leaky database. So key research is recent. Well, there’s a… week discovered there was a leak database belonging to the e-learning platform, One Class. Essentially, everything, same as every other platform and online learning platform. It’s remote learning to provides education assistance and allows students to study guides. And it really is main demographic in terms of customers is North American students. The interesting thing about this story is that the demographic of that customer base that we’re involved, there was a lot of apparently. There was a lot of customers that were under the age of 13, which obviously is always a worry inside.
STEVE LAIDLER [00:10:28] From the from the age of 13, not one, I would say 13 and upwards.
JOASHUA READ [00:10:32] Sorry. It allowed users to register. Well, I mean, records contained personal identifiable information, first names, email addresses, schools, universities that they’ve attended to, phone numbers, calls, enrollment and attention. Their account data for one account details right for one class within. It was 27 gigabytes of database included 8.9 million records and estimates of improperly stored, personally identifiable information of more than 1 million students. So it’s quite a substantial size data breach. You know, the investigators contacted the company in May the 25th and one course was able to secure the server within 24 hours. However, the company denied any impacts, which I found very, very odd. They were claiming that it was a test server. But essentially, if 1 million users have been breached and data included, you know, full names, e-mail addresses, schools, universities that I’ve attended. That is very impactful. Even if it is a test environment, there’s a lot of you know, there’s will be a lot of organisations out there that slap a test stamp on, you know, an environment, a Cloud environment, a server and say it’s test. We don’t need to do anything with it. We’re just a patching, it’s a testing environment and we don’t need to put skewed controls on its test environment. And essentially, it isn’t a get out of jail free card. If you know, even if it is, you know, test, it needs to have, if not the same amount of security controls, if not more. There’s a lot of concerns that, you know, rely around this test element of systems. I think the company officials have provided no additional comments or statements after this and that. So it’s not clear if any malicious acts have actually found that they are in use. But we’ll never will know unless it comes out in. A hacker group claimed that they’ve used the status. I’ve managed to obtain it.
STEVE LAIDLER [00:12:53] I mean, a lot of production data. But, you know, in test environments, Cloud sometimes production data because they need a realistic data set to test against someone’s test that, you know, production environments are closed for backup purposes. So that you can slapshot the data clone it on a test database, restart your production database and then back the duplicate up. But again, if it does have particularly sensitive information on there, it does have a production level information depending on the sort of confidentiality or how sensitive it is, then those same controls that need to be applied to that test environment as well. Whether that’s policy and procedure or whether that’s technical controls or whether it’s a combination of all of them. And they all then need to be maintained because effectively, it’s not really the fact it’s a test system, it’s or whatever, whether it’s test acceptance prod, it’s the data that’s held on it that then dictates. What the procedure is are around it.
JOASHUA READ [00:14:02] I think the worrying thing with this one as well is, as I mentioned before, the demographic of users that could potentially have been reached is, you know, we talk constantly around how users don’t really well versed in cyber security. People view it as, you know, a pain because it’s it’s put in speed bumps in that way of process. It’s both in terms of a young demographic. The resident actually lobbying a lot of research for years of protections put in place for people with the are so young. You know, their a lot of people out there that aren’t well versed with the, you know, the maybe the concepts of phishing or, you know, even some of the more basic, most basic criminal schemes that fraud fraudsters and cyber criminals gears. It makes them even more vulnerable because they haven’t maybe got the experience with I.T. or they’ve not handled the life experiences that they need. They also help them understand the way that fraudsters and criminals work. It’s makes it more important and essentially it makes them more vulnerable. You know, it could be numerous attack vectors, plight on the customer demographic of, you know, 13 year olds, 14 year olds. You could employ a phishing email for a Fortnite account and say that they need to pay money for this amount of, you know, to obtain access for their Fornite account. And that would be really, really impactful for a lot of the 14 year olds around the world. There’s a lot of the age group that play that game. So it’s relevant to the user and the child and it is also impactful. So they’re going to take action. Now, whether that’s getting the most credit card details, obviously this is just one attack vector, which could happen as a result of their credentials being leaked. So I think there’s a sense of responsibility that everyone needs to take, especially this one class if it does come out that, you know, that I find it very odd how that said it wasn’t very impactful.
STEVE LAIDLER [00:16:18] This is kind of circumstances really the things like GDPR and that one were designed to really, you know, hold whole companies to account, because at the end of the day, you’re holding data on behalf of somebody else.
JOASHUA READ [00:16:31] Yeah, definitely.
DAVID TAYLOR [00:16:35] So should we move on to our next story? So this is around two critical place urgent Windows updates are being released. So it must be pretty urgent considering they have to wait for the monthly patching of it.
JOASHUA READ [00:16:50] Yeah, these two were very old ones. It’s been a while since we’ve had any out of bummed patches that have come through being part of the regular patch Tuesday schedule. This both these patches that were released were in relation to the Windows Codecs Library, which is at the heart of a lot of media based Window applications. It’s really both were remote code execution vulnerabilities. The process are exploited in several vulnerabilities required to attacker to trick a user into running affected bringing, a ticking saria specifically crafted image file. Designed to be opened with an app that uses the Windows Codec library. It’s very, very easy to exploit the attack method could be simply a phishing email with the file attached saying you need to click this and open it. And I think that is mainly the main reason why they’ve rushed these patches through. In terms of patches. He’s not following the standard patching deployment method of, you know, you’ve got your MSI package, you’ve got, you know, KB release calls. It’s essentially these updates that pushed out via the Windows store or Microsoft store up as it affects some of the call application components rather than on a no-S level. So much laptops today, affected customers will be automatically receiving updates via the Microsoft store. If organisations deemed them vulnerable or they’re, you know, worried about this phone ability, you can go on to the Microsoft stall and check for updates and the h-back or h-f video extension, they will pull itself down and install. But then it crops another issue, if organisations turn off automatic update and for starter ups, which a lot of organisations might day by group policy, or via organisational policies, it’s essentially you won’t be receiving these automatic updates and you gotta to do it manually. And, you know, it is a very odd way that the announcements that went out weren’t very clear and they sort of rushed to bring it out and they didn’t actually give a lot of details. There’s a lot of people panicking. And then obviously then they released the details of their vulnerability. And, you know, it’s is what it is. It’s a vulnerability. And it’s been released, out-of-band. And it’s going to be a pain to manage and understand exactly what is vulnerable. The effect of the OS at this moment in time is Windows 10, version 1709 version 2004, which has just been released. So it’s basically anything that’s really Windows 10 at this moment time. They did say that Windows 7 was affected, but then they removed it from the advisory. And the KBR calls, it’s yeah, it is following. It’s a developing story and it’s a nightmare to keep track of from on.
STEVE LAIDLER [00:20:23] Get your patches on.
DAVID TAYLOR [00:20:27] Patch, patch, patch. Should I everyone, tell our final story? Which I think is going to raffle a few feathers. I know Josh is super super angry with this one. But, yeah, this is a massive study has been done around a billion accounts and found that 1 in every 142 passwords is unbelievably 1,2,3,4,5, and 6 for good matter, measure even.
JOASHUA READ [00:20:54] Yeah, it’s a shame that didn’t put seven on them to make it that much more secure.
DAVID TAYLOR [00:21:01] One in every 80 is 1,2,3,4,5,6,7 maybe.
JOASHUA READ [00:21:06] It doesn’t surprise me at all. I am not surprised. Some interesting statistics about this. I love the good statistics document and some statistical analysis. It gets me excited. This one, basically, they got a dump of a billion passwords that they’ve managed to gather from that web foreigns data breaches that have been public and basically informational repositories. And they’re all that billion credentials that they mass obtain. They boiled down 269 million passwords and 393 million usernames. So of the billion credentials, there was essentially only 169 different unique passwords. Which obviously is a massive one in sign already. And there was well actually and then I asked this question can you can probably already guess what the most common password was based on now.
DAVID TAYLOR [00:22:22] 1,2,3,4?
JOASHUA READ [00:22:23] No, 1,2,3,4,5,6. This one covered roughly 9.722% of all passwords that were found. Which seems like a very low percentage. But when we’re talking billions, that’s around 7 million passwords per billion, which is is still very, very worrying. The most common 1000 passwords, which are very well documented on the web everywhere. I wouldn’t advise anyone using any of the most 1000 common passwords and obviously they are common password so people must still be using them. They covered 6.6%t of all passwords. Which again, doesn’t surprise me that common passwords for a reason. People don’t feel the need to protect their own personal data and in platformw. So, yeah, most common 1 million password hit rate was 36.28%, which is slightly understandable. What shocked me the most? Well, they were shocked me, in addition, that I think anything shocked me the most out there it was all very shocking. The average password led was 9.4822 characters. Now, I mean, in the emphasis info security world, a strong password is deemed anything over 24 characters long. Now information professionals have to be realistic and understand that your average Joe isn’t going to have a password that’s 24 characters long because it essentially passwords are meant to be remembered. And if you can remember a 24 character words, see they’re have gonna be really memorable or you just going to have a photographic memory. So there was 12.04% of passwords only content special character. So again, that’s another worrying sign. 28% of passwords are larger, only that no numbers and special characters. 26% of passwords are lowercase only. Which again, is shocking. And 13% of passwords are number only. So literally. 1,2,3,4,5,6. So, yeah, I mean, to put that into context, if you’re using, you know, Jack the Ripper, Hydra or any of the, you know, widely used password cracking tools, that cyber attackers use. The password 1,2,3,4,5,6 is probably at the top of that massive common password list. If that most 1000 most common passwords are available on the worldwideweb, you can almost guarantee that hackers are using those 1000 most common passwords in brute force attempts. They will literally have a word document or a text file full of the most one thousand common passwords and delete sequentially, go through those passwords and try and hit and brute force your account.
STEVE LAIDLER [00:25:37] Within seconds.
JOASHUA READ [00:25:39] Yeah. Yeah. And that was the thing inside the password. 1,2,3,4,5,6 would take less than a second to crack. It’s one of the most common passwords. If you’re an attacher and you want a database. If you’re lucky attacker, you have database of 1 billion usernames, you could crack 7,220,000 in less than a second. Obviously, that’s dependent on the hackers processing power and these Internet speeds. But essentially, if you know it, then it’s got access to a great deal of accounts. And really, it comes down to the password advice, in my honest opinion, that the government don’t offer enough advice around passwords and it’s always become a topical issues. You know, the government is always advised that you have three random words as your passwords, i.e.. don’t grass banana. Three completely irrelevant names that don’t relate to each other. But, you know, use it. If they’re all lowercase letters, then it might be hard to crack. But it’s gonna be harder to crack than 1,2,3,4,5,6 you can trust me on that one.
STEVE LAIDLER [00:27:01] It probably comes down as well to when your organisation is having a good password policy and then you put a good corporate password policy or a security password policy and then using the technology to enforce the password policies to make sure that you can’t simplistic passwords can’t be used. You’ve got to use complex passwords of a certain length with you can’t be reused within 10 tries, number of tries. And also have to include symbols, characters. Most organisations do that anyway. Some don’t. A lot of technology gets delivered to customer sites, storage arrays, servers, that have them supervisor cards on that kind of stuff that have like a default password that is set across that hardware platform that the vendor makes. Often people who deploy it won’t change that default password. Leave it as the default. Not all of those systems are going to be exposed to the Internet. Most of them will be with either within the corporate boundary. But every now and then, there’s a possibility whether that’s configuration error or, you know, just by the fact that they need to be monitored remotely, they will be presented onto the Internet. And if somebody could get onto a storage array with a simplistic password of 1,2,3,4,5,6 they could potentially blow away the loans, blow away that the storage and shut service down. That’s in the simplistic terms. But if you’re in the organisation, then you move into the world of malware, ransomware, etc. So it’s not just, you know, locking the data and causing mischief. You could actually do some fairly heavy damage at a hardware level with simplistic passwords.
JOASHUA READ [00:28:46] And this is the thing is there’s websites out that like showdown. You know, the publicly available web sites and the basically forums for publicly available, you know, that can be anything from CCTV networks to webcams. These incredibly hard, you think that’s gonna go that web to get to that website? You literally just search, Google search it. And basically, if you go on there, it will give you a link to what, you know, publicly available interfaces, the amount, you know, I’ve been on it previously on my personal time, just looking through the amount of, you know, logging interfaces that use admin to admin is remarkable. And essentially, you know, they’ve got the default password on a lot of them that were changed from the manufacturer passwords. So you can go on and work out with the manufacturer password is based off the documentation and then your vote, essentially, you can be in the CCTV network watching what’s happening halfway across the world. And in Russia, China, Ukraine. And that’s what we’re getting out here, is essentially the passwords at the heart of everything, security. If you don’t put a secure passwords more often, you’re automatically hanging their laundry out to dry in front of the public. Your password is meant to be secure. It’s meant to be the heart of security. And if you haven’t got a strong password, then you’re your own worst enemies. If you wanted to be a secure company, or want to be a secure individual. And, you know, this multifactor authentication and there’s loads of open source stuff that you can use for multifactor authentication. The likes of Microsoft authenticator. They plug into a lot of social media stuff. Facebook, Snapchat, Instagram. If I’m honest. I think there should be a push from the social media, media platforms, as well as all platforms to enable multifactor authentication. It’s a great thing if it works. And, you know, essentially you could have the password 1,2,3,4,5,6. It wouldn’t matter because if you on the other end, with their multifactor authentication device, whether it’s your mobile and you are saying approve or disapprove of sign ins, then, you know, it doesn’t matter what strength your password is, you can have the weakest password possible.
STEVE LAIDLER [00:31:09] It give you some level of protection doesn’t it?
JOASHUA READ [00:31:14] Essentially, you shouldn’t really have the weakest password possible because…
DAVID TAYLOR [00:31:23] So definitely, I think I mean, obviously, like in enterprise and business, you know, you need to have your strong passwords thing from that on a personal level, I mean, we have so many log-ins for things. I know I’m constantly having to, like, re-change my Netflix password everytime because I just forget it. Or yoou know, I was into stuff like that from changing devices. So I guess like as a password manager I could go to?
STEVE LAIDLER [00:31:49] I mean, it’s centralizes all your passwords, which might be a bad thing, but also having a password manager, you know, as long. But again, you need security only password manager.
JOASHUA READ [00:31:58] Yeah. If users, you know, if people are used to having weak passwords and then they put a weak password on their password manager and then that gets breached, then essentially it’s got all of their passwords. It’s depending on your cyber hygiene. Password managers, I’m not gonna say yes or no on that one. My opinion.
DAVID TAYLOR [00:32:21] All right. Well, on that note, guys, I think that’s all we’ve got time for today. But thanks for your input, as always. And to the viewers, thanks for watching. And remember, do not use 1,2,3,4,5,6 or 7 as your password. We’ll catch you next week.