Vulnerability, Realtek, Internet of things, Wi-Fi, Computer security Practitioner Brief August 17th, 2021 – DDoS Attacks, T-Mobile Breach, Phishing costs & more
Everyone happy tuesday august 17th, 2021 good morning, good evening, good afternoon, good morning to you anthony boom. You made it today steve, thank you for being here good morning to the magnificent james, mcquiggin and happy tuesday, sir welcome everyone. August 17th were live on facebook, linkedin and youtube butcher practitioner brief risk impact and mitigation of the latest cyber security headlines. Whatever you want to call it weve got a bunch of stories to talk about today, including t mobile, a terror watch list that was leaked online yep. If you think things couldnt get worse, i double dog, dare you to do it any other way? Good morning to david good morning, a hard shell, if you guys, are all wherever youre coming in from this, is going to be an awesome day. Im telling you i got a feeling its its in my stomach. Its pitted somewhere today is going to be an awesome day all right, so if you have not subscribed to our podcast, please make sure to do so now. If you havent, signed up to my um webinar next week day from today in two hours, so seven days, plus two hours 11 a.m – eastern clear your calendars spend an hour with me and the magnificent roger grimes talking about hacking mfa how to properly deploy mfa. How to defend mfa whats the right way to do mfa? What are the common mistakes around multi factor, authentication and how you can ask us questions? This is not a death by powerpoint webinar.
This is not going to be roger, going off of a heres, our powerpoint and heres, all the funny slides, not at all roger, and i have a conversation we talk about it. We show you some videos, we show you some ways of how people manipulate mfa and then we we take it and we really apply it to the practitioner life. Well, take your questions, be there sign up now in the show notes you dont want to miss it. I promise its going to be epic all right lets get time before we get started on our coffee, but before we do that, our coffee is courtesy of know before anativo, because without them this show would not be possible, go and check them out as well, and Now my beautiful lovely double espresso. Can you guys tell ive had like way too many of these this morning? Yeah heres, my third for the morning, so cheers everyone. Coffee cup, cheers uh, chai, cupped, cheers and um david good morning to you and death with coffee and coffee cup, cheers um, oh and ama, with roger how awesome yes uh! I am so excited for this. One cheers folks yeah there we go love coffee in the morning, all right, um good morning, chris um and espresso king, yes, sir. Yes, sir, i am starting as of tomorrow to do a back scene, look into how i get this cup of coffee done, because people keep asking me about it all the time good morning to jody all right, heres the deal a lot of noise going around today.
In industry, lots of it ive seen it in my email. My text messaging people blowing me up going like hey whats happening uh whats, all the stuff were hearing. I want to start off with t mobile by saying t mobiles acknowledged it. They dont know how it happened. Okay, you have to understand that the way this essentially breach of customer data was discovered was threat. Actors who got into t mobile the same criminals who who got into t mobiles data, leaked it on the dark web and said weve got it. T mobile then obtained some of that data verified that its there and now theyre doing a deep technical review. Thats all im gon na say about it because theres no other details, everything else, youre hearing is buzz its bs, its speculation. At its best. We know two things when an event happens: theres a media hush hush until you find out whats going on once. You know whats going on, you start to disclose the iocs nttps of it all right and were so often so harsh, oh t, mobile another breach, or these guys something else unless its something that happens once a month like pulse secure, then we can have a conversation About it, right now with t mobile everything around it, folks is fluff it is. It really is um, a bunch of people talking and um and and someone trying to sell a piece of attack because they say, if you had this, you would have known okay uh.
Thank you very much, but well move on because theres other important stuff going on like a secret terror watch list, with two million records exposed online um in july of this year. Bob dychenko, who is a legend, came across a plethora of json records in an exposed, elastic search cluster that piqued his interest. The 1.9 million strong record set contains sensitive information on people, including names citizenship, gender dobs, which is dates of birth, passport details and no fly status. The exposed servers was indexed by search engine census and zumai, indicating that chenko may not have been the only person to come across this list. The researcher told a bleeping computer who this article is courtesy of given the nature of the exposed fields. It appears to be a no fly or similar terrorist watch list. The researcher noticed some elusive fields as tag nomination type select indicator that werent immediately understood by him. This was only valid uh. That was the only valid guess, given the nature of the data. Plus there was a specific field named t c s, uh tsc id the general bleeping computer, which hinted to him to the source of the record set, could be the terrorist screening center. The fbi tsc is used by multiple federal agencies to manage and share consolidated information for counter terror purposes. That was after 9, 11 nearly 20 years ago. They needed a central database in order for things not to fall between the cracks so check this out.
Folks, um something serious. The fbi doesnt has not commented on the matter, but this appears to be an fbi database pray for us folks. Attackers can weaponize firewalls and middle boxes for an amplified, detos attack. Mothers of all dennis attacks are always scary and the university of maryland and the university of colorado at boulder uh detailed, a joint research at the usenix security symposium talking about the voltmet volt metric attacks that take advantage of tcp non compliance in network metal boxes like Firewalls intrusion prevention systems and deep packet inspection boxes to amplify network traffic, with hundreds of thousands of p address, offering application factors exceeding those from dns ntp and uh memcached. So the research which received a distinguished paper award award at the conference is the first of its kind to describe a technique to carry out a deros reflective amplification attack over the tcp protocol by abusing metal box misconfiguration in the wild. A method previously deemed effective at preventing such spoofing attacks so essentially think of the way we defend our um. Think of any way we defend against detos attack. Today we do that with firewall. We do that with um intrusion prevention systems, and we also do it through a deep pack of inspections and and traffic uh projection. What this research essentially showed is that good threat actors who know what theyre doing can essentially take our own tools and turn them against us to launch the mother of all dadas attacks and they can weaponize it and once thats there they can essentially take everything down.
Um, the interesting aspect of this is keep an eye out for it by the way, is someones probably going to try this now that this research paper is at and when they do um, this is going to be the mother of all attacks. Weve often talked about you know some of the more advanced denos attacks, but this research essentially says that our entire defense ecosystem could be used to to actually bring it upon us. So crazy. James says: when will all organization realize that any data uploaded to the cloud needs to be secured and openly searchable um when they read your comment? I hope uh good morning to greg nice to be back and chris agrees with james mcquiggins comment there. I also do devices for many vendors can be hacked remotely due to flaws in the real tech sdk. A large number of iot devices, which were already a problem, could be exposed to remote attacks due to serious vulnerabilities found in sdks, which are software development kits provided to device manufacturer by taiwan based semiconductor company realtek, the firmware security company iot inspector said its researchers have Identified more than a dozen vulnerabilities and sdks provided by realtek to companies that use its rtl8 chips, the security flaws can be exploded to cause the denial of service condition and for command injection, and some of them can be leveraged by remote. Attackers that take complete control of a targeted device without requiring authentication an internet search revealed nearly 200 unique types of affected devices, with a total from a total of 65 vendors, including ip cameras, routers residential gateways, wi, fi, repeaters and toys, the list of impacted manufacturers, inventors Include asus belkan d link, huawei lg, logitech, netgear, zte and zexel.
The security firm noted that, if impacted vendors sold an average of 5 000 devices of each affected model, the vulnerability could expose nearly 1 million systems to remote attacks. The vulnerabilities are tracked to cve 20, 21, 3, 5, 3, 9 or 2 and 35 3, 9 5.. The issues were reported to real tech and mid may, and the company started creating patches a few weeks later. It released a security advisory last week and now here we are make sure you have that in your system, folks um and get that updated if youre using it thats. Why? I think that its about time in tech that we get a kind of a nutritional facts of all the tech thats in every device we get so that way we can have an inventory of it and uh. We can update it as we see fit and we dont have to scramble like i know many people will be doing. Finally, a really interesting report that fishing costs nearly quadrupled over 60 years, one that will probably resonate with one of our listeners so lost productivity and mopping up after the costly attacks that follow fishing, bec and ransomware in particular, eat up. Most costs not payouts to crooks research showed that the cost of phishing attack is nearly quadruple over the past six years. Large u.s companies are now losing an average of 14.8 million dollars annually or 1500 per employee thats up sharply from the 2015 figure of 3.
8 million. According to the opponent institute um in a report that was sponsored by proof point one of the most expensive threat types is business, email, compromise, bec, cost ramped up significantly in 2020, with more than 1.8 billion stolen from organizations as cyber crooks launch ever slicker attacks, either Impersonating, someone inside an organization or masquerading as a partner and vendor and one of the most expensive attacks, obviously is ransomware. John oliver did a whole thing on it. Going after teresa payton in the uh uh episode um i dont typically like john oliver. I watched a part of it and found him to kind of miss the point around ransomware uh. You cant, stop the internet john oliver um, and if we did, you wouldnt be on it. So take that um, larry poneman, the chairman and founder of the opponent institute, said that because phishing attacks increased the likelihood of a data breach and business disruptions, most of the costs incurred by companies come from lost productivity and remediation of the issue rather than the actual Ransom paid to attackers and heres a fishing cost component in 2015. The cost to contain malware was 208 000 now its 353 000., the cost of uncontained malware was 338 000 in 2015, its now 807 506 dollars and productivity losses from fishing was 1.8 million. In 2015. Its nearly doubled to 3.2 million in 2020, one the cost to contain credential compromises with 381 000, its now 692 000 and the cost of a credential compromise not contained was one million dollars, its now 2.
7 million almost two and a half times more in the original Fishing cost components of 3.768 million um. All of that together is now nearly 7.9 million dollars, which means an exact exuberated. Total cost of fishing is around 14 million dollars. Folks, the study found that, on average, a u.s size corporation of 9 567 people lost productivity. That translates to three hundred and 63 three wasted hours. Every year, uh with an average each employee wasting entire at almost an entire work day. Two two fishing scams thats nearly doubled from 2015.. This is good folks, uh, kristoff, wow, crazy cost, uh im sure we can help reduce with some great awareness training from james mcquiggen. Yes, we can um, but i think this is a great report to take to your board its a magnificent report to share with your executive team gon na break it down, help them understand, and now this is a really good report. By the way i plan to use it, i think everyone should as well um and and and take it to the next level. All of our articles are in the show now, so you can see all the links right there below if youre watching us on facebook. Linkedin or youtube just look at the comments. Look at the description section and youll see it there. If youre listening on your favorite podcast listening platform, just scroll down to show notes, youll see all the links this ones the last one on that link list, you can get it there well be back with more tomorrow.
On thursday, james mcquiggin will be joining me on the practitioner. Brief weve got an awesome system. Talk episode, thats, also going to drop this week and digital debate relaunching uh used to be formerly known as the tech town square tomorrow at 8pm eastern on clubhouse. If you have not joined the digital debate club there go do so now until then folks have a great rest of your day. Thank you so much for tuning in and being with me this morning. I wish you a lovely, magnificent tuesday, see you tomorrow until then folks stay cyber safe, dont fall for fishing, 14 million expense. There we go folks, Music.