Wipe your disks when you're done, ok?

Lessons from the NCIX Data Breach

h/t: Travis Doering – Privacy Fly

Computer retail and e-tail vendor NCIX, founded in 1996, went bankrupt in December 2017. As the company dissolved, it simply walked away from a rental agreement regarding a warehouse in Richmond, British Columbia. Computer equipment left at this premises was ultimately sold by the landlord through Able Auctions in April of 2018. This equipment included "NCIX’s entire server farm from the east coast which was shipped back to their Richmond warehouse several months ago."
One individual, identifying himself as "Jeff," assisted the landlord in the auction. Jeff retained most or all of the NCIX server hardware which contained NCIX's data. Jeff then proceeded to sell the equipment for large amounts of money based on the fact the contents of the drives were unencrypted. It gets steadily darker from there...

Countermeasure: Encrypt all your data at rest, and wipe your disks when you're done.

Read More >

Secret Service Warns of Surge in ATM ‘Wiretapping’ Attacks

h/t: Brian Krebs – Krebs on Security

While ATM card skimmers have been a reality for decades, every now and again this form of crime becomes fashionable once more.  2018 is one of those years, and the latest approach to card skimming is quite sophisticated. 
Using USB endoscope attached to a smartphone to see inside the ATM, skimmers drill a hole in the housing of the ATM and attach a skimmer directly to the PCB of the ATM's card reader.  The hole is then covered up, ultimately being finished with false facia that includes a pinhole camera to capture the PIN of anyone using the ATM.  A sophisticated and difficult to detect compromise, the precise details of how to execute this attack are now circulating throughout the internet's underground fora.

Countermeasure: Always presume ATMs are compromised: shield your PIN, and be very picky about which ATMs you use.

Read More >

A Crippling Ransomware Attack Hit a Water Utility in the Aftermath of Hurricane Florence

h/t: Pierluigi Paganini – Security Affairs

It never rains, but it pours.  And then malware strikes.  The Onslow Water and Sewer Authority (ONWASA) discovered the compromise while attempting to recover from Hurricane Florence.  The attack involved the Emotet ransomware, and compromised several backend systems. 
ONWASA did not pay the ransom, and as a result were forced to rebuild several systems, including having to recreate the relevant databases.  While no customer information was reported compromised, customers were unable to pay bills during the outage period.

Countermeasure: If your data doesn't exist in at least two places, it doesn't exist: have you verified your backups today?

Read More >

Roughtime: Securing Time with Digital Signatures

h/t: Christopher Patton – Cloudflare

Cloudflare is announcing a new high frequency, low latency network time source called Roughtime, developed by Google.  Roughtime is being pitched as a replacement for the venerable Network Time Protocol (NTP). 
NTP is an old protocol, dating back several decades, and is frequently deployed without security features.  Roughtime is a time protocol designed to be less accurate than NTP, but which will always be deployed with security features.  Not inded for precision applications, Roughtime aims to simply be "good enough" for cryptographic accuracy, something that matters a lot to Cloudflare, who go into significant depth on the hows, whys, and wherefores in this blog post.

Countermeasure: Consider using Roughtime instead of NTP for at user-facing services.

Read More >

Tweet of the Week

"A Raspberry Pi is a disposable rogue device that I plug into the ethernet of a building I just broke into that facilitates hacking into their network."

Countermeasure: Never forget physical security.  Also, consider deactivating any ports not currently in use at the switch.

Video of the Week


"Social Engineering at Work"

Countermeasure: Ever wanted to hack your coworkers?  There are many benefits to doing so. Great preso from April C. Wright  Posted by Adrian Crenshaw

Starts at 5m:53s >

Interesting Threads

"It’s story time! Today, I want to tell you the tale of the time I very nearly got caught on a physical penetration test."

Read the Thread >

Deep Thoughts

"Social Engineering bypasses all technologies, including firewalls."

- Kevin Mitnick

Quick Links


One Identity Global Survey Shows Organisations Continue to Struggle to Get Basic Identity and Access Management Best Practices Right, Potentially Exposing Them to Security Risks
- Dean Alvarez – IT Security Guru

ThreatList: Half of Execs Feel Unprepared to Respond to a Cyber-Incident
- Tara Seals - Threatpost

US Voter Records from 19 States Sold on Hacking Forum
- Catalin Cimpanu - ZDNet

Get Your Copy.