InfoSec Round-Up: August 30th 2020

NZX DDoS, Uber CSO Charged, TikTok Sues Trump & Social Accounts Exposed

This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.

This week we are discussing the former Uber CSO charged with obstruction, TikTok fighting back against US action, the New Zealand stock exchange downed by a DDos attack and 235 million social accounts found exposed.

Former Uber Boss Charged Over Hiding Data Breach

Uber’s former chief security officer Joseph Sullivan has been charged for obstruction of justice, following a 2016 data breach which saw 57 million users details exposed.

According to charges filed by the US Department of Justice, Sullivan had taken “deliberate steps” to avoid the Federal Trade Commission (FTC) finding out about the attack.

Having previously admitted to paying a ransom of around $100,000 to the hackers, for the assured destruction of the stolen data, the popular transport company let Mr Sullivan go back in 2017 when the breach was first publicly revealed.

Disguised as a “bug bounty”, Sullivan approved the ransom payment to hackers, as well as reportedly asking them to sign non-disclosure agreements.

Now working as CSO at web-infrastructure company Cloudflare, Sullivan has also previously held positions at eBay, PayPal and Facebook.

Deputy Special Agent, San Francisco  stated on the case: “Concealing information about a felony from law enforcement is a crime… While this case is an extreme example of a prolonged attempt to subvert law enforcement, we hope companies stand up and take notice. Do not help criminal hackers cover their tracks.”

TikTok Suing Trump Administration

The popular social media company TikTok has announced that it is challenging the Trump administration’s efforts to ban the platform, claiming that it has been treated with undue suspicion and without due process.

Announced via a blogpost, the company is arguing against assertions that it represents a national security threat, claiming that it has “taken extraordinary measures to protect the privacy and security of TikTok’s US user data”.

President Trump signed the executive order earlier this month, a document which amongst other things claimed that the data collection of the app potentially allowed the Chinese state to “track the locations of Federal employees… build dossiers of personal information for blackmail, and conduct corporate espionage.”

Also stating, “The United States must take aggressive action against the owners of TikTok to protect our national security.”

The order also gave the company a 45-day period to find a US buyer for its American operations, a deal which if brokered, the President suggested the government should have its cut of.

TikTok said of their legal action: “We do not take suing the government lightly, however we feel we have no choice but to take action to protect our rights, and the rights of our community and employees.”

New Zealand Stock Exchange Downed in DDos Attack

The New Zealand stock exchange (NZX) has this week been seriously affected by a distributed denial-of-service (DDos) attack, with trading being halted for several days.

The exchange first went offline on Tuesday afternoon following what the organisation has referred to as a “volumetric... attack from offshore via its network service provider”, describing the attack as “mitigated” soon after. (https://www.nzx.com/announcements/358636)

The exchange, which was online Thursday morning for a mere 70 minutes, before again being shut down, has disclosed little in the way of details about the attack.

The incident comes as just the latest “state-based” attack against the region, a problem which Australian defence minister, Linda Reynolds, described as “increasing in frequency, scale, in sophistication and in its impact.”

Prof Dave Parry, of the computer science department at Auckland University of Technology, described the attack as “very serious”, noting, “Unfortunately, the skills and software to do this are widely available and the disruption of COVID and people working from home all over the world, potentially with lower security on their computers, means that these attacks are easier than usual.”

235 Million Social Media Accounts Exposed

A database containing profile information for 235 million TikTok, Instagram and YouTube accounts has been found exposed by security researchers.

Left unsecured without password protection, the ‘scraped’ data belonging to hundreds of millions of social media users, is suspected to have originated from now non-operational data trading company Deep Social.

Both Facebook and Instagram had banned Deep Social from their marketing APIs back in 2018, as well as threatening legal action against the company if it continued to ‘scrape’ data from their users’ accounts.

The records contained, amongst other information, profile names, ages, genders and engagement metrics. Despite this information being predominantly ‘publicly available’, the scraping of information from such platforms is often a violation of policy.

Though Deep Social ceased operations in 2018, the data is now in the possession of a different company, Social Data. An operation which strongly denies any connection between itself and Deep Social. 

Thank you for reading this edition of Infosec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.