Cyber Security Headlines – November 23, 2021

GoDaddy data breach impacts millions

The web hosting giant disclosed a data breach to the Securities and Exchange Commission, warning that 1.2 million customers may have had information accessed. According to CISO Demetrius Comes, the company detected unauthorized access where it hosts and manages its WordPress servers. The attacker accessed the servers around September 6th using a compromised password, GoDaddy discovered the access on November 17th. Customers’ sFTP credentials, WordPress usernames and passwords, emails, and customer numbers were exposed in the breach. The company reset WordPress passwords and private keys, and is in the process of replacing SSL certificates. 

(TechCrunch)

Microsoft looks at brute-force attacks

According to an analysis of Microsoft’s honeypot servers, most brute-force attackers attempt to guess short passwords, mostly avoiding targeting long passwords or ones with complex characters. Over a 30 day span, 77% of brute-force attempts used password guesses between 1 and 7 characters, with over 10 characters only seen in 6% of tries. Only 7% of attempts included a special character, 39% had a number, and none included white space. Provided passwords aren’t part of standard dictionary attacks or leaked online, a longer password with special characters would likely be safe from most brute-force attempts. 

(The Record)

Printers used to bypass fingerprint authentication

Security researchers have previously shown it is possible to defeat modern fingerprint sensors using specialized equipment like DLSR cameras and high-end 3D printers. However Kraken Security Labs found a significantly easier way to defeat these protections. They were able to use a picture of a fingerprint from a modern smartphone, reverse the image to create a negative, then print it out on acetate sheets on a consumer laser printer. Applying some wood glue on the print provided a solution that was able to fool the fingerprint sensor on a modern MacBook Pro. The researcher said the method shows that fingerprints shouldn’t be used as a single factor in place of a password, rather as part of a two-factor authentication arrangement. 

(Bleeping Computer)

Cybersecurity incident disrupts Iranian airline

One of Iran’s largest privately-owned airlines, Mahan Air, disclosed the incident, which caused its website to go offline, although it maintained flights were staying on time. The company said it was thwarted successfully, and characterized these kinds of attacks as common and something it’s used to handling. While Mahan Air has been targeted by US Sanctions, it does not appear American action was the cause of the incident. The actor claiming responsibility claimed the action was in support for the rights of the Ahwaz minority in the country. The actor claimed to have obtained confidential information in the hack. 

(Bleeping Computer)

Thanks to our episode sponsor, deepwatch

What is the value of good security? Can you quantify what mature detection and response means for your organization? A recent Forrester study found that a deepwatch MDR customer achieved 432% ROI and over 10 million dollars in benefits and savings from their solution over a 3 year period. Visit deepwatch.com/tei-report for the full report and to learn how your team could see the same success.

Study looks at how to reduce social media hate speech

Scientists at New York University’s Center for Social Media and Politics published a new study examining the effectiveness of hate speech warnings after content has been posted. The study focused on Twitter users who had been suspended, with followers who had also used hateful speech. They created three types of messages. One that emphasized what could be lost by using hateful speech. One that emphasized legitimacy and respectfulness. And one that presented the sender as an expert. The messages were varied into high and low intensity wording. The control group received none of these messages. The study found a single message reduced hate speech the following week by 10%, with politely worded messages the most effective and resulting in a 15-20% reduction a week later. The researchers didn’t see users responding with even more hateful language after receiving a message, but acknowledged that might change if Twitter itself sent the message. Twitter found similar results in its hate speech warnings before posting content.

(Protocol)

UK reviewing medical devices for bias

UK health secretary Sajid Javid announced a review of all medical devices for racial and gender biases, saying that these may have contributed to the overall higher death rates in Black and South Asian people in the United Kingdom during the COVID-19 pandemic. Last year, University of Michigan researchers found that pulse oximeters are more likely to miss low levels of oxygen in Black patients than white patients. Medical algorithms were not specifically named in this review but could be included. Javid also said he’s working with counterparts at Health and Human Services in the US, as well as other nations to develop international standards for medical devices.

(The Verge)

Publication details for the Facebook Papers

We’ve covered the leaked data from the Facebook Papers on this show when relevant. Initial reporting was generally published by the Wall Street Journal, who was the publication in contact with whistleblower Frances Haugen. Gizmodo and other publications obtained these documents from a Senate Commerce subcommittee. Gizmodo published details about how it will release these documents to the public. A group of independent monitors, including members from the ACLU, and academics across journalism and engineering, will work to review documents for publication, and vet local experts for documents focused on countries outside the US. Documents will be reviewed to avoid privacy concerns, as well as attempting to avoid being used as a roadmap for malicious actors to avoid moderation controls Facebook has in place. 

(Gizmodo)

EduTech company gets failing grade for data security

SmarterSelect is a company that provides software for managing scholarship applications. The security company UpGuard discovered that a misconfigured Google Cloud Storage bucket exposed 1.5TB of data from the company, including student transcripts, resumes, and invoices for 1.2 million student applications to various funding programs. Leaked data ran from November 2020 through September 2021. This may account for up to 75% of SmarterSelect’s customers. This is a fairly unique trove of information, with detailed financial details included in FAFSA forms, including social security numbers, student photos, and personal essays. UpGuard sent several noticed to the company starting on September 15th, but access wasn’t revoked until October 5th. It’s unclear if anyone accessed the data, or if SmarterSelect informed impacted customers. 

(TechCrunch)

Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. He's spent the past five years creating media for technology enthusiasts and IT practitioners. He dreams of someday writing the oral history of Transmeta.