Infosec Round-Up Nov 26th
This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.
GoDaddy Password Hack
The American domain registrar and web hosting company GoDaddy has this week disclosed a data breach affecting around 1.2 million customers and multiple Managed WordPress service resellers.
With an attacker initially gaining access via a compromised password in early September, the breach was discovered on November 17th, giving the hacker two months of access to the company’s managed WordPress hosting environment.
Adding insult to injury, it is also being reported that GoDaddy was storing credentials as either plaintext, or in a format that could be reversed into plaintext, rather than in a hashed format that would help protect the information in case of an incident such as a breach.
Demetrius Comes, GoDaddy's Chief Information Security Officer has stated on the incident: “An unauthorized third party accessed the provisioning system in our legacy code base for Managed WordPress… We are sincerely sorry for this incident and the concern it causes for our customers.”
Adding, “We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection.”
UK Bans Weak Default Passwords
As part of the new Product Security and Telecommunications Infrastructure (PSTI) Bill, the UK has moved to ban companies from selling devices preloaded with ‘easy-to-guess’ default passwords in a bid to improve overall consumer security standards.
Introduced this week, the bill additionally requires customers to be informed of the minimum time the device will receive vital security updates and patches, as well as offering security researchers a public point of contact to register flaws and bugs.
Covering a range of devices, including smartphones, routers, security cameras, and games consoles, the soon to be appointed regulator will also have the power to fine companies up to £10m or 4% of their global turnover, as well as up to £20,000 a day for ongoing contraventions.
Julia Lopez, minister for media, data and digital infrastructure, has stated, “Every day hackers attempt to break into people's smart devices. Most of us assume if a product is for sale, it's safe and secure. Yet many are not, putting too many of us at risk of fraud and theft… [this] bill will put a firewall around everyday tech from phones and thermostats to dishwashers, baby monitors and doorbells, and see huge fines for those who fall foul of tough new security standards.”
Apple Sues NSO Group
American technology company Apple has announced it is suing the Israeli spyware firm NSO Group in an attempt to “hold it accountable for the surveillance and targeting of Apple users”.
Pegasus, which was the software developed by NSO Group, allowed operators to extract messages, photos and emails, as well as secretly activate and record microphone and camera data, was termed in the Apple announcement as “sophisticated, state-sponsored surveillance technology.”
Following a 2019 WhatsApp lawsuit against NSO Group, which is still ongoing, Apple also announced that it will be donating $10 million, as well as any funds recovered in the lawsuit, to security research groups, including Citizen Lab who first discovered NSO's attacks.
In the blog post, Apple has stated on the legal matter, “[this] lawsuit seeks to ban NSO Group from further harming individuals by using Apple’s products and services. The lawsuit also seeks redress for NSO Group’s flagrant violations of US federal and state law, arising out of its efforts to target and attack Apple and its users.”
Thank you for reading this edition of Infosec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
An email security policy is a document describing how an organisation's email system should, and most importantly, should not be used.
When Human Error is found in information security, it is often avoidable errors that allow much larger consequential problems to arise.
Investing in Information Security Awareness Training - educating people against cyber threats should be considered essential for any organisation operating in 2021
How Secure is Microsoft Teams? Information Security blog by Information Security Awareness solution provider Hut Six Security
Best Ways To Ensure Enterprise Data Regulation guest blog by technivorz.com and information security awareness solution Hut Six Security.
Writing a Disaster Recovery Plan: information security planning blog by information security awareness solution provider Hut Six Security.
Security program policies blog by information security awareness training provider Hut Six Security.
Security awareness training for Cyber Essentials blog by information security awareness training provider Hut Six Security.
Information Security Awareness Training in 2021 blog by information security awareness training platform Hut Six Security
What are the best VPNs for work? - VPN review blog by security awareness training provider Hut Six Security.