Infosec Round-Up Nov 26th

Play Video

This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.

GoDaddy Password Hack

The American domain registrar and web hosting company GoDaddy has this week disclosed a data breach affecting around 1.2 million customers and multiple Managed WordPress service resellers.

With an attacker initially gaining access via a compromised password in early September, the breach was discovered on November 17th, giving the hacker two months of access to the company’s managed WordPress hosting environment.

Adding insult to injury, it is also being reported that GoDaddy was storing credentials as either plaintext, or in a format that could be reversed into plaintext, rather than in a hashed format that would help protect the information in case of an incident such as a breach.

Demetrius Comes, GoDaddy's Chief Information Security Officer has stated on the incident: “An unauthorized third party accessed the provisioning system in our legacy code base for Managed WordPress… We are sincerely sorry for this incident and the concern it causes for our customers.”

Adding, “We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection.”

UK Bans Weak Default Passwords

As part of the new Product Security and Telecommunications Infrastructure (PSTI) Bill, the UK has moved to ban companies from selling devices preloaded with ‘easy-to-guess’ default passwords in a bid to improve overall consumer security standards.

Introduced this week, the bill additionally requires customers to be informed of the minimum time the device will receive vital security updates and patches, as well as offering security researchers a public point of contact to register flaws and bugs.

Covering a range of devices, including smartphones, routers, security cameras, and games consoles, the soon to be appointed regulator will also have the power to fine companies up to £10m or 4% of their global turnover, as well as up to £20,000 a day for ongoing contraventions.

Julia Lopez, minister for media, data and digital infrastructure, has stated, “Every day hackers attempt to break into people's smart devices. Most of us assume if a product is for sale, it's safe and secure. Yet many are not, putting too many of us at risk of fraud and theft… [this] bill will put a firewall around everyday tech from phones and thermostats to dishwashers, baby monitors and doorbells, and see huge fines for those who fall foul of tough new security standards.”

Apple Sues NSO Group

American technology company Apple has announced it is suing the Israeli spyware firm NSO Group in an attempt to “hold it accountable for the surveillance and targeting of Apple users”.

Pegasus, which was the software developed by NSO Group, allowed operators to extract messages, photos and emails, as well as secretly activate and record microphone and camera data, was termed in the Apple announcement as “sophisticated, state-sponsored surveillance technology.”

Following a 2019 WhatsApp lawsuit against NSO Group, which is still ongoing, Apple also announced that it will be donating $10 million, as well as any funds recovered in the lawsuit, to security research groups, including Citizen Lab who first discovered NSO's attacks.

In the blog post, Apple has stated on the legal matter, “[this] lawsuit seeks to ban NSO Group from further harming individuals by using Apple’s products and services. The lawsuit also seeks redress for NSO Group’s flagrant violations of US federal and state law, arising out of its efforts to target and attack Apple and its users.”

Thank you for reading this edition of Infosec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.

Security Awareness for your Organisation

Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.

Featured

Infosec Round-Up Nov 19th - Hut Six

Infosec Round-Up Nov 19th - Hut Six

National Cyber Security Centre publishes annual review. US compensated fraud victims. State-sponsored hacker warning.

Infosec Round-Up Nov 12th

Infosec Round-Up Nov 12th - Hut Six

UK court throws out mass-action lawsuit against Google. US offers $10 million for the identity of REvil cyber criminals. Stor-a-File storage company suffers data breach.

Infosec Round-Up Nov 5th

Infosec Round-Up Nov 5th - Hut Six

UK Labour party data leaked by data handler. Facebook announces end to the use of facial recognition. US Commerce Department sanctions Israel's NSO Group.

Infosec Round-Up Oct 29th

Infosec Round-Up Oct 29th - Hut Six

GCHQ chief warns double in ransomware attacks. “Unprecedented” VOIP cyber-attack. Teen scammer has £2 million in crypto seized.

Infosec Round-Up Oct 22nd

Infosec Round-Up Oct 22nd - Hut Six

Computer maker Acer hacked twice in a single week. Ofcom reports almost 45 million people targeted by scammers. US restricts the sale of hacking tools.

Infosec Round-Up Oct 8th

Infosec Round-Up Oct 8th - Hut Six

125GB of Twitch data leaked. School IT tech charged in insider threat case. EU parliament votes against A.I surveillance.

Infosec Round-Up Oct 1st

Infosec Round-Up Oct 1st - Hut Six

iPhone contactless flaw could allow locked phone payments. China warns crypto “seriously endanger the safety of people’s assets”. Ethereum research facing 20 years in prison.

InfoSec Round-Up Sep 24th

InfoSec Round-Up Sep 24th - Hut Six

REvil steals loot from affiliate criminals. Lithuania warns of Chinese made phones. UK MoD exposes the data of Afghan interpreters.

Infosec Round-Up Sep 17th

Infosec Round-Up Sep 17th - Hut Six

Irish DPA investigates TikTok data collection. NSO Group flaw fixed. Microsoft announces passwordless future.

Infosec Round-Up Sep 10th

Infosec Round-Up Sep 10th - Hut Six

Ragnar Locker threatens victims with possible data leaks. UK student jailed for "cynical" cyber crime. ProtonMail faces criticism.