Security News for the Week Ending September 28, 2018
Cisco Will Eliminate Hard Coded Passwords One Per Month
It seems like every patch cycle, Cisco admits to another app that has an undocumented hard coded password. I have lost track of how many of them they have removed so far, but the number is scary large.
What is more scary is that I bet Cisco is far from unique – they are just being more honest about it. Are all the other hardware vendors pure as the driven snow. NOT LIKELY!
In this case, very embarrassingly, the hard coded password was in Cisco’s video surveillance manager. In other words, the bad guys could secretly watch the watchers.
Cisco CLAIMS this was because they forgot to disable this hard coded ID (maybe used for testing) before the production code was released.
Recently Cisco has removed hard coded credentials from their Linux based OS, IOS XE, from their Digital Network Architecture server and from the Cisco Provisioning Server. That is just recently.
This bug rated a 9.8 out of 10 on the severity Richter scale (CVSS V3). Source: ZDNet.
Gig Workers Targeted by Malicious Attackers
This one is classically simple.
Gig workers, who have no IT department, are responding to gig requests on sites like Fiverr and Freelancer.
Unfortunately, those requests have documents associated with them that are infected. When the gig worker opens the file to understand if he or she wants to bid on the gig, his or her computer is infected. MAYBE the gig worker’s anti virus software will catch it, but if they are crafted just slightly differently for each attack, the AV software will be blind to it.
Freaking genius. As long as it doesn’t happen to you. Source: ZDNet.
Your Tax Dollars At Work
Like many public sector (not all!) networks, the security of the Pennsylvania Democratic Caucus was, apparently, not so great. Equally unsurprisingly, their computers became infected with ransomware.
So they had two choices. Pay the bad guys $30,000.
OR
Pay Microsoft $703,000 plus.
Of course, since this isn’t coming out of their pockets, they opted for the gold plated, diamond encrusted deal from Microsoft.
Surely, some local outfit would have rebuilt their servers for less than three quarters of a million dollars.
According to Homeland Security, over 4,000 ransomware attacks happen every day. I have NO way to validate that claim, but I am sure the number is big. Source : The Trib.
Uber Agrees to Pay $148 Million for Breach – Instead of $2 Billion under CCPA
Uber agreed to pay $148 million to settle claims that it covered up a breach in 2016 by PAYING OFF the hackers to keep quiet and supposedly delete the data.
Lets compare that to what they might have paid under CCPA, the new California law.
57 million records – say 5% in California = 2,850, 000 records.
Private right of action up to $750 per user without showing damage. Let’s reduce that to $500 x 2.85 million = $1.425 billion.
AG right to sue for malicious non-compliance. $7,500 (treble damages since the cover up was willful) x 2.85 million = $21.375 billion.
WORST CASE = A little over $22 BILLION.
BEST CASE (Maybe) = 10% of that, maybe $2 billion.
They got off light.
By the way, THIS is why companies are scared of the new law.
Source: Mitch
Newest iPhone, Newest iOS – Hacked in a Week
We tend to think of iPhones as secure. Secure is a relative term and relatively, the iPhone is secure.
iOs 12 was released on September 17th, along with the new iPhones, the XS and the XS Max.
Today is the 28th and news articles abound that the pair (new phone plus new software) has been hacked.
To be fair, Pangu team, the ground that announced the hack, said that they had hacked the beta back in June.
So, as long as you don’t think secure means secure, the iPhone is secure.
Less insecure might be a better term. Source: Redmondpie .
by 