The SecuriTea - Issue #21
Each week The SecuriTea News brings you the latest Cybersecurity News. Receive even more information by signing up for our newsletter. Here's what's new for this week:
New Orleans Latest in Ransomware Attack.
New Orleans declared a state of emergency and shut down its computers after a cybersecurity event, the latest in a string of city and state governments to be attacked by hackers. Suspicious activity was discovered around 5 a.m. last Friday morning and by 8 a.m., there was significant activity found to be evidence of phishing attempts and ransomware, as told by Kim LaGrue, the city’s head of IT said in a press conference. Though ransomware was detected, the city of New Orleans did not receive a demand for payment. This is just the latest incident as numerous local and state governments have been plagued by ransomware this year, a file-encrypting malware that demands money for the decryption key. Pensacola, Florida and Jackson County, Georgia are just a few examples of the near-constant stream of ransomware attacks over the past year. Louisiana state government was attacked in November, prompting officials to deactivate government websites and other digital services and causing the governor to declare a state of emergency. It was the state’s second declaration related to a ransomware attack in less than six months. Governments and local authorities are particularly vulnerable as they’re often underfunded and unresourced, and unable to protect their systems from some of the major threats.
Epilepsy Foundation Was Targeted in Mass Strobe Cyberattack
In a very disturbing story of how the internet can be harmful it has been reported that hackers sent videos and images of flashing strobe lights to thousands of Twitter followers of the Epilepsy Foundation last month in a mass cyberattack that apparently sought to trigger seizures in those with epilepsy, the foundation said on Monday. The series of online attacks was particularly reprehensible, it said in a statement because it took place during National Epilepsy Awareness Month. “These attacks are no different than a person carrying a strobe light into a convention of people with epilepsy and seizures, with the intention of inducing seizures and thereby causing significant harm to the participants,” said Allison Nichol, director of legal advocacy for the nonprofit foundation, which finances epilepsy research and connects people to treatment and support. The foundation reported 30 such attacks in the first week of November and said it had filed complaints with law enforcement authorities, including with the United States Attorney’s Office in Maryland, where the group’s headquarters are. It was unclear how many people clicked on the videos and animated images known as GIFs.
Amazon Ring Flaws Still Not Fixed, More Uncovered
**Note: If you have a Ring device or ANY smart home device, please do not reuse credentials to secure the device and enable multi-factor authentication for an extra layer of protection!!**
Serious security holes in the Ring smart doorbell have been uncovered, according to a new investigation. For instance, Ring owners aren’t notified of suspicious login alerts when devices are accessed from various IP addresses — and there are seemingly no limitations for incorrect login attempts. This means if someone was attempting to break into your security camera, you would not even know you were under attack. The new findings, based on Motherboard’s security tests on the Amazon-owned connected doorbell, come on the heels of several privacy and security incidents relating to Ring this past year. That includes several disturbing stories emerging over the past week of hackers hijacking Ring devices and stalking to strangers through them. In response to the recent hacks and the security tests, Ring said that many customers were reusing credentials for their accounts from other services, allowing bad actors to gain access. (See disclaimer above!!) “Customer trust is important to us and we take the security of our devices seriously,” a Ring spokesperson told Threatpost. “Our security team has investigated these incidents and we have no evidence of an unauthorized intrusion or compromise of Ring’s systems or network. Recently, we were made aware of incidents where malicious actors obtained some Ring users’ account credentials (e.g., username and password) from a separate, external, non-Ring service and reused them to log in to some Ring accounts. Unfortunately, when the same username and password is reused on multiple services, it’s possible for bad actors to gain access to many accounts.”
Password Security Still Not Improving Among Users
A list of independent, anonymous researchers composed a list of 200 most popular passwords that were leaked in data breaches during 2019 and shared it with security firm NordPass. What did researchers find? Users are still not taking the necessary precautions to create proper passwords to protect their accounts. NordPass collected and analyzed a total of 500 million passwords from breaches this year. And the results of the study were consistent with findings from similar studies in previous years. The compiled a list of passwords, called Collections #1-5, that showed that these passwords were found in breaches that exposed 3 billion records. Users were using weak passwords logic that included strings of letters forming a horizontal or vertical line on the keyboard, such as asdfghjkl, qazwsx, 1qaz2wsx, etc. The most obvious password—literally the word ‘password’— remained popular with 830,846 people still using it. Passwords such as ‘12345’, ‘123456’, and ‘123456789’ were the most common passwords, followed by ‘test1’ and, the password ‘password’. Passwords containing popular female names included Nicole, Jessica, Hannah, were also high among the list along with simple numerical strings and common names, other easy to crack common passwords were simple strings such as ‘asdf,’ ‘qwerty,’ ‘iloveyou,’ etc. Experts have found resemblance in the data with the last year’s report by SplashData on the worst passwords. Here are a list of the top 25 worst passwords being used:
Top 25 list of worst passwords
Below is the Top 25 list out of the 200 most popular passwords shared by the experts:
If you see a familiar password PLEASE go change your passwords!
More than 170 million usernames and passwords were stolen from the company behind Words With Friends in a hack this year, according to a breach monitoring site. Zynga, a social game developer that made its name with Farmville a decade ago and acquired Words With Friends a year later, admitted to the hack in September, telling users that cyber-attacks were “one of the unfortunate realities of doing business today”. It did not reveal at the time how many accounts were affected. Now, it has been revealed that the stolen database contained information on 172,869,660 unique accounts. According to Have I Been Pwned, a monitoring site that warns internet users if their personal details have been stolen in data breaches, the information accessed by the hacker included email addresses, usernames, and passwords stored insecurely.
Luckily, the game vendor deployed some form of password security, involving two processes called salting and hashing, which means it would be time-consuming and expensive for anyone who gets hold of the stolen data to uncover usable passwords. The dump also included some Facebook IDs and phone numbers for users who had provided that information to the company. The Hacker News spoke to the alleged perpetrator, a hacker who goes by the online alias Gnosticplayers, who said they had also stolen other, smaller databases from Zynga, including 7m unprotected passwords for users of a now-discontinued game called OMGPop. “This is just the latest in a string of hacks from Gnosticplayers, who appears to be vying for a reputation as much as monetary gain,” said Max Heinemeyer, the director of threat hunting at the cybersecurity company Darktrace. “Again we are reminded that companies are too often on the back foot and scrambling to do damage control in the aftermath of a data breach.” Concerned users can check whether their account was among those breached at Have I Been Pwned, which ranks the Zynga breach as the 10th largest it has cataloged and the second largest from a household name, after MySpace’s 2008 breach that exposed 360m accounts. That latter breach was not made public until May 2016.
And that's a wrap for your Weekly SecuriTea News. Be sure to check out the latest every week for the latest in Information Security News. Follow us on social media for daily news.