- Exzec Cyber Newsletter
- Posts
- 9th Edition
The 2016 Olympic games organizers handed out over 450K condoms to the athletic village athletes, amounting to an average of 42 per athlete. Talk about protection.Another doozy of a week. The one thing about InfoSec is that the breaches, vulnerabilities, and exploits keep on coming. On the menu this week:
Summer Olympics: that new hot target
This week’s can’t miss: Change Healthcare, kick em while they’re down
SS7: the protocol that never changes
Might have missed: $30 million for a zero-day
Alarm(ing) System: not as secure as you’d think
Big News
An Olympic Level of Worry
Oh, the summer Olympics. It’s that time again when obscure sports like Artistic Swimming, Breaking (break-dancing, yeah, Olympic sport), and Badminton take over the news cycle. While I find the Olympics' athleticism extraordinary, I am only drawn to a few sports like golf, basketball, and soccer (ok, ok football). I must be in the minority though, since Paris, this year’s host city, expects 15 million visitors, with 2 million coming from abroad to watch the games.
What happened: Nothing, yet. Outside of the coordination for broadcasting the Olympics, organizers have to be ready for challenges around physical and digital security considering the size of the crowds and tensions around some of the competing countries. Russia, whose athletes will not be able to compete under their country’s flag, is a prime suspect in cyber attacks that haven’t even happened yet.
Why is it important: The Olympics have always been a target, 2012 saw a denial of service attack that took the broadcast down for 40 minutes. Many cyberattacks at these games go unpublicized, but every Olympic game in the past 15 years has had its share of attacks. From a physical security perspective, this is the first Olympic Games where the opening ceremony won’t be in a stadium. That presents unique physical security risks as 600K people line the Seine River to watch athletes parade down on boats.
The other side: This presents a unique opportunity for more international cooperation on cyber defense. The head of France’s cyber agency, Vincent Strubel, recently met with US officials to help coordinate and plan against potential attacks.
The takeaway: The games present a unique challenge, but the primary goal of France’s preparation is to help detect and respond to physical and virtual incidents. There are backup plans for the opening ceremony should they deem a threat to be too critical to ignore. On the cyber front, their goal of preparation is to minimize damage, communicate what’s happening to the media, and should something happen, avoid panic.
tl;dr: Olympic games are a target. France is prepping. Let’s watch some Olympic breakdancing.
Can’t Miss
Breaches, vulns, and more.
Surveillance: The US House has reauthorized a controversial program that allows monitoring of phone calls for non-Americans. The issue? They also gather data on Americans, which the FBI has misused on multiple occasions. Up next, the Senate.
Change Healthcare: Yep, those folks. Apparently, they’re being extorted by another Ransomware gang called RansomHub. The gang claims to have infiltrated 4 TB of sensitive data. This is likely the gang that ALPHV ripped off. At least their wallet is already open I suppose?
Palo Alto: CVE-2024-3400 is being exploited in the wild. The vulnerability allows command injection which may allow attackers to run code with root privileges. It’s a bad one. Patch it!
Apple: The company sent out notifications to users in 92 countries alerting them that they may have been targeted by mercenary spyware groups.
D-Link: A critical flaw in the company's attached storage devices could lead to command execution. These devices are EOL so they likely won’t be patched. Get them offline or limit remote access!
Google: The company has rolled out an upgraded ‘Find My’ network more on par with Apple’s offering. The difference, Google claims, is that they’re attempting to prevent users from being tracked to their homes, a consistent issue with Apple’s Airtags. Let’s see if it works.
The names 7, SS7. 🍸️ Hacked, not secure.
Ever heard of the SS7 phone protocol? Me neither, but here we are. SS7 is a protocol used in telecommunications for both mobile and traditional phone lines. It’s what lets networks talk to each other, bill correctly across providers, and allow us to roam on other networks when our mobile provider is unavailable.
What happened: Well, lots of things. But it’s hard to track them all down given this protocol has been in use since the 1980s. There has been very little monitoring or reporting of incidents against this protocol. The important part is that it appears the FCC is finally going to try and monitor and fix the issue. They’re requesting all known incidents since 2018 be reported, which is the year they issued best practices to prevent network intrusions.
Why is it important: Recently, flaws in SS7 have been used to reroute MFA passcodes sent from banks. The attackers have taken these passcodes and been able to drain bank accounts. This protocol was also a primary concern with a past President using a personal iPhone for some communications. It’s also allowed for potential abuse in tracking people’s locations. Essentially, exploiting this protocol is the holy grail for bad actors or foreign intelligence.
The other side: Hopefully, this request by the FCC will lead to more transparency about the issues affecting this protocol, as well as incidents that have occurred.
The takeaway: Telco, much like other industries, for example, San Francisco’s floppy disk-reliant train system, uses outdated technology. Without a reason to upgrade, they’ll continue to use it until it fails. This is also a great time to mention why having an MFA code outside of SMS is more and more important.
tl;dr: Telco mobile network connectivity is insecure. No one will fix it.
More: TheRegister | Vice | TheGuardian
Tip of the Week
Use a mobile app or hardware token for Multi-factor authentication. It will ensure you’re not prone to sim-swapping, the SS7 protocol exploits we wrote about above, or good ole fashioned shoulder snooping!
Might Have Missed
Crowdfense: A morally questionable company, is offering up to $30 million in bounties for full chain exploits across Android, iOS, and browsers. That’s a lot of dough, but more than likely being built into weapons and sold to governments. Hmmmmm 🤔….
LastPass: Some of the company's employees were targeted by deep fake voice phishing attacks impersonating the company’s CEO. While the attack was unsuccessful, deepfake attacks are on the rise. If it feels phishy, it probably is.
Canada: The government has introduced new legislation to prevent online hate speech and harmful material. While the bill has some valuable components around child safety, there is a secondary piece raising eyebrows and voices from privacy advocates. Does it go too far?
iOS Malware: An advanced iOS backdoor, allowing harvesting of contacts, texts, and location data, is making the rounds again. This time, it appears to be targeting South Asian iPhone owners.
Unit 8200: The head of Israel’s elite hacking team has been discovered after publishing a book on Amazon and using an email address traced back to him. He’s been anonymous for 20 years, until now. Online privacy is hard.
Ivanti: Multiple Chinese hacking groups have been seen exploiting recent critical vulnerabilities in Ivanti’s products. Let this be yet another reminder to patch those devices.
Off Track
Wifi Jammin’ and Robbery Plannin’
The rise in self-installed home security systems has allowed budget-conscious homeowners the ability to install and monitor their homes on the cheap. Come to find out, most of these have a glaring vulnerability: the majority of these systems are completely wireless, including the cameras and base stations.
What happened: Many of these home security systems are being thwarted by thieves using WiFi jammers. If they can block the signals used by the cameras, entry sensors, and motion sensors, everything goes offline and no alarms are triggered (I am, however). There are multiple instances of this occurring across the US in Phoenix, New York, and Minnesota, but it’s not unique to these regions.
Why was it important: Well, this makes your system useless. Luckily, most of these robberies happen when people aren’t home, but it is happening. Awareness of it and taking action is important to prevent it. Much like defensive services for your laptop or mobile devices, don’t rely on a ‘but it won’t happen to me’ attitude.
The other side: There are steps that people can take to fight back. This article from USA Today and Kim Komando lists several tactics to help secure your home like using a few wired cameras, installing an SD card in those cameras that can support it, using motion-activated lights, and removing your home from things like Redfin and other mapping services, like Google
The takeaway: While it’s unsettling to think of this being used in our own homes, there are ways to protect yourself and your belongings. Take them.
tl;dr: Thieves are blocking Wifi signals. Thieves are robbing homes. No alarms are triggering.
More: CrimeOnline | TomsHardware | USAToday
Pups N’ Stuff
This week’s pup: Rizzi, better known as Rizz-nado 🌪️ . She enjoys a fresh buzz cut, a cold treat on a warm day, and knocking pillows off of couches. Here’s to bucking those pillows. 🍺
Thanks for reading this week’s edition. If you have feedback or advice, want to submit a dog, or just hate everything you see? Hit this link!