Get Your Copy.
The Countermeasure is delivered to your inbox each Saturday, giving you insights on enterprise security developments you may have missed.
When Credit Card Theft Is Good
In This Issue:
- Hackers get hacked…
- Google does (some) security right
- Android, iPhone get exposed
Hackers Get Hacked
Twenty-six million credit cards were stolen, and this is fantastic news: Data for a whopping 26 million stolen payment cards leaked in hack of fraud bazaar. While it's rare to hear someone say that the theft of millions of credit cards is good news, these cards were stolen from a black market website, the result of which is that 14 million valid stolen cards have now been reported to various banking authorities.
Banks will now cancel the relevant cards and issue new ones, so there are now 14 million fewer stolen credit cards circulating for use by criminals. The bad news, of course, is that there were 14 million potentially valid stolen credit card numbers in the first place.
There are currently 87 million stolen credit cards known to be on the black market. If that number includes both valid and invalid cards, then this breach represents more than one-third of the known supply being wiped out in a single event. If the 87 million number represents only valid cards, this even still represents more 16% of supply gone all at once. This article has more details: “BriansClub” Hack Rescues 26M Stolen Cards.
The downside of all of this lies in how criminals are likely to react. When you start running low on toilet paper, it becomes a priority to take the time to go buy more. Criminals treat stolen credit cards in much the same way: when supply runs low they go shopping. Expect a renewed push by ne'er-do-wells to steal even more cards over the next several months.
It’s time for everyone to be extremely judicious about when and where they use their credit and debit cards. We here at The Countermeasure strongly recommend purchasing a Hunter Cat: a device which detects the most common form of card skimmer, has a reasonably simple interface, and can be used by anyone with minimal training.
Google Does (Some) Security Right
Google has done an information security-related thing which isn't a horror, abomination, or blasphemy: Google Cloud brings Security Health Analytics into beta. The money quote:
"Security Health Analytics automatically scans GCP infrastructure to surface problems like configuration issues with public storage buckets, open firewall ports, stale encryption keys or deactivated security logging. The tool provides a dashboard that shows potential security issues. When you click on one of those issues, the tool offers a step-by-step remediation plan."
Given the large number of breaches caused by misconfigured cloud storage, this is a tool that very much needs to exist. This follows on from another recent announcement: Google launches Password Checkup feature, will add it to Chrome later this year. If anyone's counting, this is twice in a single month that Google did something security related which isn't utterly abhorrent.
We really are in the weirdest timeline.
As odd as this is for you to read, trust us, it's odder for us to write, but here goes: we could all learn something important from how Google is approaching security here. The security health analytics page performs valuable security checks for organizations using public cloud services, and the password checkup thing is very much a needed feature.
Of course, these only apply to Google's products, and the concepts need to be deployed across the board. Google has provided us a good place to start in building our own policies, and if Google’s actually focusing on security isn't enough of a sign that it's time for the rest of us to get our butts in gear, we don't know what is.
Android, iPhone Get Exposed
It doesn't take much time after discovery of a vulnerability for someone to create a way to exploit it. Two examples of this made it into security news this week. First up is an in-the-wild exploit for the Checkm8 vulnerability, which was found a little over two weeks ago: Fake iOS Checkra1n jailbreak site installs slot machine game, generates click-fraud revenue.
Just in case Apple fans were feeling lonely, it took security researchers less than two weeks to figure out how to exploit this Android vulnerability, and it turns out criminals were exploiting it sooner. Security researcher publishes proof-of-concept code for recent Android zero-day.
Use Mobile Device Management (MDM) software on work phones. Invest in endpoint protection. Patch the patchables, and seriously consider banning any Android phones that aren't aren't getting patches from manufacturers or carriers. That whole "Android never gets patched" thing won't change until we stop buying them.
Games of the Week
And there's this: Spot the Phish
Thread of the Week
This week there was a headline guaranteed to speed up the pulse of infosec professionals:Sudo Flaw Lets Linux Users Run Commands As Root Even When They're Restricted. For a brief moment, this looked like catastrophe. As explained in the article, Sudo is "one of the most important, powerful, and commonly used utilities that comes as a core command installed on almost every UNIX and Linux-based operating system."
Fortunately, the vulnerability can only be exploited in a very specific and rather strange scenario, as explained in this Twitter thread:
"So if there are people there who actually had the sample config in the vuln report, they are vulnerable to all hell and back *anyway*, and if they've been trying to play whack-a-mole by excluding all "root-equivalent" user accounts, that's a ridiculous idea and they'll miss one." – Hector Martin - @marcan42
Sudo? More like Su-doh: There's a fun bug that gives restricted sudoers root access (if your config is non-standard). According to this article, the vulnerability was fixed in the Sudo 1.8.28 patch.
No matter how 'ridiculous' the scenario might sound, go patch Linux.
Podcast(s) of the Week
- Watch out for this latest LinkedIn phish that’s ‘sent’ by a friend
- IoT Attacks Up Significantly in First Half of 2019
- Attackers exploit an iTunes zeroday to install ransomware
- Planting tiny spy chips in hardware can cost as little as $200
- WAV audio files are now being used to hide malicious code
- Cybersecurity: Why your suppliers are still your weakest link
- Ransomware: These are the most common attacks targeting you right now