When the coverup is worse than the crime
Google Chose Not to Go Public About Bug That Exposed Google Plus Users’ Data
h/t: Graham Cluley – GrahamCluley.com
Google has experienced a data breach of unknown magnitude involving its Google Plus service. Google has stated that up to 500,000 users were potentially affected by the breach, however, that number only covers the first two weeks prior to patching the bug. The bug was present in Google's system from some time in 2015 until March of 2018. Unfortunately for all involved, the data breach is not the worst part of this story.
As the Electronic Frontier Foundation so succinctly states: "Google’s mishandling of data was bad. But its mishandling of the aftermath was worse." Google attempted to cover up the data breach, choosing not to release information about the event for over six months from the date the patch was applied. A memo uncovered by the Wall Street Journal indicates that Google discussed the PR implications of the breach, and actively chose to cover up the event instead.
In the end, Google chose to shut down Google+. Speculation is rampant that this was and is an attempt to avoid regulatory scrutiny into the event, though this speculation remains unconfirmed.
Countermeasure: When your company experiences a data breach, for the love of Pete, do not try to cover it up. Have a plan for when data breaches occur. Practice the plan. And when the day comes, stick to that plan.
Getting Up to Speed with "Always-On SSL"
h/t: Tim Callan – Dark Reading
Google's chrome browser is now marking websites that do not use HTTPS as insecure. Other browsers have already taken this step, or have pledged to follow. This practice has its critics, in large part because enabling HTTPS is not enough to actually ensure a website is secure. HTTPS only secures the connection between the server and client, not the website itself.
The details of how websites will be identified as insecure are complicated, but worth reviewing. Time has run out for organizations that have not yet enabled HTTPS to make decisions. It is no longer a question of it allocating the time and money required to HTTPS-enable one's estate is worth it, but how soon this must occur.
Countermeasure: Enable HTTPS on (at a minimum) all customer-facing websites. It's worth doing it on all websites, whether customer facing or not.
Chrome 70 Released With Revamped Google Account Login System
Chrome 70 is out, and it is a truly major release. The list of new features is long, and includes some much requested changes, as well as a slightly-less-questionable-than-before new account login system. Amon the most important features is the inclusion of support for the final version of TLS 1.3.
Chrome 70 lands just days after Google made significant changes to the rules for Chrome extension developers. The changes are designed to make life harder for developers of scamware extensions, but there is a possibility that some legitimate extensions will get caught up in the changes.
Countermeasure: Test that the new version of Chrome with all extensions and websites that you require it to before releasing it to your end users. As this is a major release, it's also worth testing that your enterprise configuration management of Chrome still works precisely as required.
Who Gets Spear-Phished, & Why?
h/t: Adrien Gendre – HelpNet Security
When your organization is truly and thoroughly compromised, the attack will almost certainly begin with a spear phish. Spear phishers target individuals who have access to data. The pros do a lot of recon before selecting a target. They look for people who engage in risky behaviour, or have socialization problems. Other popular targets include contractors, suppliers, and other external entities who might have access to data within an organization.
Countermeasure: Read this article to brush up on spear phishing, and then provide cybersecurity training for the likely targets. Every organization has a limited training budget, so use it where it is most likely to matter.
Tweet of the Week
"Consumers are willing to forgive a breach if it is handled appropriately. Many organisations fail to plan for the response aspect of #cybersecurity #infosec"
-@JeffXie
Countermeasure: Implementing security technologies and products is learning to crawl. Incident response is the marathon.
Video of the Week
"Git Project, Google+, & Facebook: Application Security Weekly #35"
A spate of recent high profile breaches involving some of tech's biggest names are debated by the pros.
Interesting Threads
The infosec community at large doesn't seem to believe Bloomberg is correct about its stunning accusations regarding the physical compromise of Supermicro Servers.
"One more nail in the coffin of this story…" - Thomas Rid (@RidT)
"SEC-Regulated statements with language is incredibly thorough in its direct refutation."
- SwiftonSecurity