This Week In Security - 03/16/2020
WikiLeaks Trial Exposes Holes in CIA Cybersecurity
Central Intelligence Agency looks far from clever as its shoddy cybersecurity practices are revealed in court.
CIA programmer Joshua Schulte stood accused of being instrumental in leaking the Vault 7 documents to WikiLeaks in 2018. As he defended himself against the charges, his lawyer turned the table on the CIA, accusing them of poor cybersecurity practices.
To gain access to the hacking tools that were subsequently stolen and leaked, the password Schulte needed to guess at was, absurdly enough, 123ABCdef!
Lead defense attorney, Sabrina Shrof, argued that the security of the CIA’s theoretically secure network, DEVLAN, was so poor that it would be “impossible to determine who among a mix of agency employees, government contractors, and possibly even foreign hackers, could have taken the tools”.
After spending six hours deliberating, the jury’s failure to reach a unanimous decision lead to a partial mistrial, although Schulte was convicted on some minor charges and is facing additional charges relating to the possession of child pornography.
Now all that remains to be seen is what punishment the CIA may face for failing to properly secure documents that it claims could be “devastating to our national security”.
Bug Bounty Hunter Finds Security Hole in NordVPN
A security leak that could have exposed sensitive user data was hunted down by a researcher known as ‘dakitu’ and exposed on HackerOne – a bug bounty platform.
The security flaw meant that third parties could have gained access to “users’ email addresses, payment method, and URL, the product they purchase, [and] the amount they paid for it”.
The hole was linked to payment platforms Coinpayments, Gocardless, and Momo and was so simple to exploit, even I could have given it a shot. All you had to do was send an HTTP POST request, without authentication, to join.nordvpn.com and you’d be rewarded with lists of users’ email addresses and other private information.
Although the flaw was easy enough to fix and NordVPN handed dakitu a $1,000 reward for his or her efforts, it’s not great for NordVPN’s reputation. According to the University of Surrey’s Professor Alan Woodward, “It’s the sort of bug that can erode trust, which is vital to VPN providers”.
NordVPN launched its bug bounty program earlier this year and is delighted by the positive results, saying, “We’re not happy that we had a vulnerability in our system, but we’re very happy that it was found and eliminated so quickly”.
FBI Arrests Russian Cybercrime Kingpin
A Russian male national believed to host websites selling stolen credentials and hacked data has been arrested in New York by the FBI.
Kirill Victorovich Firsov is being investigated for his alleged link to the online store hosting service, Deer.io. The platform is believed to host around 250 online stores, many of which are dedicated to selling “hacked accounts, hacked servers, and personally identifiable information (PII), such as names, Social Security numbers, dates of birth, and victim addresses”.
Although “the Deer.io platform was first exposed as a haven for cybercrime activity in … June 2016”, when a hacker known as Tessa88 sold user data stolen from LinkedIn and Myspace on a site hosted by the Deer.io platform.
Back then, the company seemed to take little notice of the FBI’s threats, saying, “deer.io works according to the laws of the Russian Federation”.
Firsov is “expected to be officially charged with aiding and abetting of trafficking, and trafficking of stolen information”. His indictment also states that his conduct affected both “interstate and foreign commerce”.
Despite the severity of the accusations, the Deer.io platform is, at the time of writing, still operational, although we don’t recommend checking it out.
US Government Flounders in Cyberspace
The Cyberspace Solarium Commission has instructed the US government to overhaul its cybersecurity after a year-long investigation concluded that, “The U.S. government is currently not designed to act with the speed and agility necessary to defend the country in cyberspace”.
Created by the 2019 National Defense Authorization Act, the commission was charged with developing a “comprehensive strategic approach to defending the United States in cyberspace”. According to the report, the government needs to build resilience and improve its ability to, respond to cyber threats quickly and effectively.
Recommendations include the transformation of the Cybersecurity and Infrastructure Security Agency and “an acceleration of the American strategy of persistent engagement”.
This would require government agencies to penetrate networks in Russia, Iran, China, and North Korea, among others, and take pre-emptive action should they detect a potential attack. Meanwhile, any foreign bodies caught stealing intellectual property, manipulating data, or interfering in US elections would be heavily penalized.
The commission also said that the government needs a clearer, more organized approach to cybersecurity. Co-chairman of the commission, Mike Gallagher, said, “We are attempting to galvanize the American public and spur a change in the status quo” in preparation for a serious cyberattack.