Infosec Round-Up Nov 26th

Play Video

This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.

GoDaddy Password Hack

The American domain registrar and web hosting company GoDaddy has this week disclosed a data breach affecting around 1.2 million customers and multiple Managed WordPress service resellers.

With an attacker initially gaining access via a compromised password in early September, the breach was discovered on November 17th, giving the hacker two months of access to the company’s managed WordPress hosting environment.

Adding insult to injury, it is also being reported that GoDaddy was storing credentials as either plaintext, or in a format that could be reversed into plaintext, rather than in a hashed format that would help protect the information in case of an incident such as a breach.

Demetrius Comes, GoDaddy's Chief Information Security Officer has stated on the incident: “An unauthorized third party accessed the provisioning system in our legacy code base for Managed WordPress… We are sincerely sorry for this incident and the concern it causes for our customers.”

Adding, “We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection.”

UK Bans Weak Default Passwords

As part of the new Product Security and Telecommunications Infrastructure (PSTI) Bill, the UK has moved to ban companies from selling devices preloaded with ‘easy-to-guess’ default passwords in a bid to improve overall consumer security standards.

Introduced this week, the bill additionally requires customers to be informed of the minimum time the device will receive vital security updates and patches, as well as offering security researchers a public point of contact to register flaws and bugs.

Covering a range of devices, including smartphones, routers, security cameras, and games consoles, the soon to be appointed regulator will also have the power to fine companies up to £10m or 4% of their global turnover, as well as up to £20,000 a day for ongoing contraventions.

Julia Lopez, minister for media, data and digital infrastructure, has stated, “Every day hackers attempt to break into people's smart devices. Most of us assume if a product is for sale, it's safe and secure. Yet many are not, putting too many of us at risk of fraud and theft… [this] bill will put a firewall around everyday tech from phones and thermostats to dishwashers, baby monitors and doorbells, and see huge fines for those who fall foul of tough new security standards.”

Apple Sues NSO Group

American technology company Apple has announced it is suing the Israeli spyware firm NSO Group in an attempt to “hold it accountable for the surveillance and targeting of Apple users”.

Pegasus, which was the software developed by NSO Group, allowed operators to extract messages, photos and emails, as well as secretly activate and record microphone and camera data, was termed in the Apple announcement as “sophisticated, state-sponsored surveillance technology.”

Following a 2019 WhatsApp lawsuit against NSO Group, which is still ongoing, Apple also announced that it will be donating $10 million, as well as any funds recovered in the lawsuit, to security research groups, including Citizen Lab who first discovered NSO's attacks.

In the blog post, Apple has stated on the legal matter, “[this] lawsuit seeks to ban NSO Group from further harming individuals by using Apple’s products and services. The lawsuit also seeks redress for NSO Group’s flagrant violations of US federal and state law, arising out of its efforts to target and attack Apple and its users.”

Thank you for reading this edition of Infosec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.

Security Awareness for your Organisation

Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.


The importance of an email security policy

Why Organisations Need an Email Security Policy

An email security policy is a document describing how an organisation's email system should, and most importantly, should not be used.

Preventing Human Error in Information Security

Human Error in Information Security

When Human Error is found in information security, it is often avoidable errors that allow much larger consequential problems to arise.

Security Awareness - Return on Investment

Investing in Information Security Awareness Training

Investing in Information Security Awareness Training - educating people against cyber threats should be considered essential for any organisation operating in 2021

Microsoft Teams Security

How Secure is Microsoft Teams?

How Secure is Microsoft Teams? Information Security blog by Information Security Awareness solution provider Hut Six Security

Enterprise Data Regulation

Best Ways To Ensure Enterprise Data Regulation

Best Ways To Ensure Enterprise Data Regulation guest blog by and information security awareness solution Hut Six Security.

Disaster Recovery Plan

Writing a Disaster Recovery Plan

Writing a Disaster Recovery Plan: information security planning blog by information security awareness solution provider Hut Six Security.

Security Program Policies for 2021

What Policies Do I Need for a Security Program?

Security program policies blog by information security awareness training provider Hut Six Security.

Security Awareness Training for Cyber Essentials

Preparing for Cyber Essentials with Information Security Awareness Training

Security awareness training for Cyber Essentials blog by information security awareness training provider Hut Six Security.

Security Awareness in 2021 - what has changed?

Information Security Awareness Training in 2021

Information Security Awareness Training in 2021 blog by information security awareness training platform Hut Six Security

Virtual Privacy Networks for Businesses

The Five Best VPNs for Work

What are the best VPNs for work? - VPN review blog by security awareness training provider Hut Six Security.

Speak to us about your Cyber Awareness