In our latest podcast we cover the lack of security in the United Nations site, and a few IOTA security issues. In our Technology segment we covered how all Oculus Rifts aren’t working due to an expired security certificate and the new Oculus Rift that will be coming out. We also discussed augmented reality app Do Not Touch by Nickelodeon. Enjoy the podcast and subscribe, so you get everything straight to your inbox, including podcasts.
Today we will be covering the United Nations hacks that haven’t gotten the level of publicity that they deserve both in this article and on our podcast. In recent years we reported a compromise in the United Nations site and we can say per our experience that calling the United Nations to report their site has been hacked is no pleasant task. Per our experience their initial response was a polite way of saying you may be arrested, but once they realized we didn’t hack them, we just spotted that the site had been hacked we were transferred to the IT guy who seemed to be in a panic. Like any organization, the United Nations should implement proper cyber security vetting for the code they use. This includes having the code that they currently have in use go through a third party audit and have the security updated. They should also have all their programmers learn secure development practices, and audit all third party code that they use on their website.
So is the United Nations using proper cyber security measures? It doesn’t seem to be the case, since the United Nations hasn’t been hacked just once this year, the most recent known United Nations hack was Feburary 4th, 2018. The United Nations was also hacked several times in January, 2018 as as shown here on January 28th, January 16th, January 15th, January 14th and six times in 2017 just on Open Bug Bounty alone.
These aren’t the only times the United Nations has been hacked and was publicly documented. Zone-h, a site for archiving defaced websites has two archived instances of the United Nations being hacked in 2008 and in 2006.
While the United Nations has been hacked more than anyone would want, it is important to take into consideration the gigantic size of the United Nations site with multiple sub domains. It certainly does not appear that there has been a review of all their code in years. The best solution would be for them to have a full security audit, get rid of old sub-domains they no longer need, and make their code easier to maintain through multiple tools that are available.
Unfortunately, our conclusion based on the public information about the United Nations site right now, is that they are not a safe website per our companies policies of what are acceptable risks. Being hacked for the last 12 years with no significant appearance that we can see of improved cyber security certainly does not seem like a safe website to us, but it is ultimately up to the user to decide the risk level they want to take when using a website.
Dominos has been hacked, but this is not surprising since we spoke to a criminal who claimed publicly and privately reiterated his claims that he had hacked into Domino’s Venezuala website dominos.com.ve allegedly using a SQL injection, which he publicly announced. We were unable to independently prove the claims by said criminal, since they wouldn’t share where the exploit was that they allegedly used.
Why did the criminal allegedly hack dominos? We do not want to mention the bizarre and insane conspiracy he or she was chasing, but let’s just say this criminal who hacked Domino’s was chasing something that didn’t exist that other news outlets publicly named over and over in the 2016 U.S election. We have no idea how domino’s fit into their conspiracy theory, except that they sell pizza and the conspiracy theory was partially pizza based.
So, why are we just now writing about a Domino’s hack against Venezulua that allegedly took place in late 2016? Because Domino’s who we contacted at the time said something to the effect that they would handle it, but now a Domino’s hack against Australians is showing a pattern in their security that is too familiar and we believe is unhealthy for their customers.
The 2017 Domino’s hack in Australia is interesting, since Domino’s is saying a third party is at fault due to a rating system that a third party used to manage that leaked customer personal details. This is interesting, because criminals want in your site and they are going to look for the weakest link to get into your site and unfortunately third parties are the most vulnerable when it comes to code.
A company like Domino’s can have a strict security code, but if it doesn’t ensure that their security model is also being used by their third parties and auditing their code, then they enter a security weakness into their threat model. This is a weakness that we take seriously and audit all third party code.
We may be publishing more of what occured in the 2016 domino hack, as this is now relevant information, so please check back as this is a developing news event.
Louisiana Department Of Education referred to as DOE had a subdomain hacked yesterday. This was discovered by a researcher and was posted on Twitter September 10th at 4:58 PM . The researcher received an email from the Louisiana governments EDGAR System with a link to the malicious page.
The malware on the page is served up by powershell and is believed to be called Cobalt Strike. Immediately on hearing this, our CEO alerted some other government contractors, since we do security work for the government, but do not have any contacts in Lousiana.
This ended up in the researcher being told to contact US CERT by a well known researcher. 11 hours ago it was no longer available to access, hopefully it is down for repair.
Unfortunately, this is not the first time this month that we have reported on the United States Education systems being hacked.
While the exploit point is unknown, EDGAR is known to be exploited often and has come under scrutiny by congress for the system being exploited and not being disclosed for far too long.
We will continue to keep you up to date on the Lousiana government DOE hack as the events are still developing.
Equifax hack and the Equifax Data breach In U.S and Argentina explained In Full
The Equifax hack & the Equifax data breach was horrible, because it has affected up to 143 million people that had their social security numbers exposed in the Equifax data breach disaster. Now Equifax Argentina has been hacked due to equifax using no security measure for a certain portals login credentials. So, what happened with Equifax data breach? Equifax security had a history of not responding or fixing known security vulnerabilities in their system at the time the equifax hack in the U.S took place. One of many vulnerabilities that had not been fixed was an xss that was reported a year prior to the malicious hack, which may help show the negligence that Equifax showed towards their cyber-security.
After the Equifax hack in the U.S took place, the Argentina Equifax hack took place, because their username and password were the same default credentials, no one in the world should be using. What was their username and password? admin for username and the password was also admin.
If you haven’t heard that Equifax royally screwed up on providing credit card monitoring, or even if you have heard that they messed up, it’s far worse than what you know. Originally when people accepted the Equifax credit card monitoring they were waiving their rights to sue Equifax for the equifax data breach, according to multiple reports. After they came under extreme criticism Equifax updated their terms to say they meant you can’t sue them for the use of the credit card monitoring, but you can still sue them for the cyber-security breach that has already occurred.
If the Equifax credit card monitoring issues stopped there, that would be amazing but Equifax showed they weren’t prepared to handle a breach. Equifax only provides you a year of free monitoring services and they use their own companies services to provide you that one year of monitoring. Senator Schatz wrote a scathing, yet one hundred percent factual critique of Equifax and the Equifax data breach that points out they will make a large profit off of their credit monitoring, because per his critique, Senator Schatz stated that was insufficient. He Also pointed out that their current one year monitoring model makes them profit when people can go back to the company that equifax owns for continued monitoring after the year is up.
It was pointed out by others that Equifax can make up to $120 of profit per person off of credit card monitoring per their page that allows you to sign up. If all 142 million people affected paid for the next year of credit card monitoring they would make 14 billion dollars off of the breach, just on the credit card monitoring. Senator Schatz went on to point out that they will make 30 dollars off of each person who wants to freeze their credit card file, which is a smart thing to do.
After the scathing critique from Senator Schatz, and colleagues and many other people who protested over the credit freeze charge Equifax announced they will be allowing free credit report freezes until November 21st and refunding anyone who paid for the service after the breach was announced. A credit freeze is also known as a security freeze for your credit report adding layers of security helping protect criminals from opening new credit in your name.
Equifax went on to say that you will not be automatically enrolled or charged after the free year of credit monitoring is over. However, they do not state that they won’t use the email addresses or other information to contact you to let you know you have the option to enroll for another year. Their wording is quite specific in that it states you won’t be automatically enrolled, so the probability of them trying to manually convert you into a paying customer whether via email blasts or phone calls still appears to remain per the wording they have chosen to use.
Now let’s make this very clear, the Equifax data breach could still make them up to 14 billion dollars if every single person used their service and was manually or via automatic blast email opted into one paid year of monitoring after the free year ended. Let’s make it equally clear that not every person has signed up for their monitoring nor would every person renew services, but let’s say 50 percent of the 142 million people affected used the service for an additional year on their own dime. Based off of Equifax’s site the services cost $120 a year so , Equifax could make 8 billion and 520 million dollars. Even if only 25 percent of people renewed they would make 4 billion and 200 million dollars off of their own disaster. Nonetheless, they stand to profit off of being hacked.
When you go to equifaxsecurity2017.com to see if you are hacked and click on any button to see if you were affected by the hack or to enroll in the one year monitoring, they are going to direct you to go to trustedidpremier.com. Most people won’t notice this, since sadly people don’t pay attention to the site they are actually on. This site asks for your six digit social security number, which quite frankly you should never enter online. Furthermore, you did not hire Equifax to collect the data that was leaked on you, they collect it as part of their business model for their clients. You are not the client, you are the product, which the well written CNN piece makes painfully clear.
How did the equifax data breach in United States happen?
Updated: We were correct that Equifax was hacked by the March, 2017 Apache Struts bug.
Updated: Providing insight to the carefully crafted Equifax announcment that looks like they are blaming Apache Struts, but are evading from doing so. Removed the Quartz article link, since that article appears to be partially inaccurate.
Equifax released a statement that many news outlets took as admitting they were hacked by an Apache Struts vulnerability, however after careful analysis, that isn’t what they were saying whatsoever. They were simply noting that their is evidence that someone may have tried to use the 2 month old Apache struts vulnerability, but have not yet confirmed that is indeed how the hack took place. While we do believe not updating Apache Struts is one way an attacker could’ve gotten in, their security is inexcusably weak making it possible that a different exploit was used.
However the equifax data breach wouldn’t have happened as badly if they hadn’t kept so much data about people online, that the people did not ask to be collected about them. When a site you are the customer of is hacked that’s one thing, when a site that you are the product of and in this case you are a product of Equifax, that’s entirely different. You are the victim in this scenario, and Equifax put too much of your personal data online. Also, they did not fix known security vulnerabilities.
How did the Equifax Data Breach happen in Argentina?
The Equifax Data breach in Argentina occured because someone had the idea to put the username and password as admin for the username and admin as password. Now to be fair, they may have just bought some software and did not follow the instructions or do any security review whatsoever, like resetting the default admin credentials for the portal they were using. As far as we know, only thousands upon thousands of people were affected in the Equifax Argentina Data Breach. The Equifax Argentina data breach is a developing story, so we will continue to update this as more information becomes available.
What countries were affected by the Equifax breach?
There have been multiple Equifax breaches this year, but so far we know that the U.S was affected, Argentina was affected, U.K was partially affected.
We will continue to update this article when more information becomes available