Privacy Is SUCH a 20th Century Concept

An online payment system owned by PayPal has security problems? Say it ain’t so! Millions of Venmo transactions scraped in warning over privacy settings.

“There’s truly no reason to have this API open to unauthenticated requests,” he told TechCrunch. “The API only exists to provide like a scrolling feed of public transactions for the home page of the app, but if that’s your goal then you should require a token with each request to verify that the user is logged in.”

You want a Modern Tech Company™ to spend time and resources on YOUR privacy? There is no privacy. (F*c*book’s lawyer said so!)

Advertisements

What Happens When There Are Millions of Unpatched Mail Servers?

Well if there’s a known vulnerability, they get hacked. Millions of Exim Mail Servers Are Currently Being Attacked.

Millions of mail servers running vulnerable Exim mail transfer agent (MTA) versions are currently under siege, with attackers gaining permanent root access via SSH to the exploited machines according to security researchers.

The patch was issued in February. It was raised to critical a week or so ago. People are clueless.

The only people who will find this to be “unexpected” will be “executives.”

People are all about Windows, or Mac, Android vs iOS, but the most prevalent OS running the internet is Unix, in one of its many incarnations. And Exim, is one of the most popular email server packages running on Unix.

My initial post on this vulnerability is from the 9th of June.

Do You Think The NSA Will Get Their Attention?

I don’t. Even the NSA is urging Windows users to patch BlueKeep (CVE-2019-0708).

After Microsoft warned Windows users on two separate occasions to patch a severe security flaw known as BlueKeep, now, the US National Security Agency has echoed the OS maker’s warning in the hopes of avoiding another WannaCry-like incident.

The NSA’s alert, authored by the agency’s Central Security Service division, is about the security flaw known as BlueKeep (CVE-2019-0708).

After WannaCry (and associated ransomware) cost corporations 100s of Millions of Dollars, and was in the news for MONTHS, you would think people might get the idea that they need to update their systems. They didn’t. (You want to spend HOW much updating systems? They work just fine today!)

I haven’t seen that any exploits are in the wild, but several have been developed by white-hat hackers, and not released. Though some “suspicious” port scanning was detected almost from the moment the bug was made public. When, not if, an exploit is released, denizens of Mahogany Row will say, “This is so unexpected!”

Millions of Servers Vulnerable – Patch Issued in February

Can you spell WannaCry? Or Not Petya? or Eternal Blue? Millions of Exim Mail Servers Exposed to Local, Remote Attacks.

The patch wasn’t identified as a security issue at the time, but that knowledge has come to light. Even so, February was a long-time ago, as the hacker world moves.

According to a quick Shodan search, vulnerable versions of Exim are currently running on roughly over 4,800,000 machines, with more than 588,000 servers already running the patched Exim 4.92 release.

600,000 servers have been updated (nearly). Explain to me again why you can’t update, I was laughing uncontrollably the last time you spoke.

At this point in time, if you have a system exposed to the internet and you are not patching in a timely fashion.

  1. No one, and I mean no one, is going to have sympathy for you when you get hacked, and hit with ransomware, or cryptominers.
  2. When you get hacked (and you will get hacked) management (that is Mahogany Row) should be tossed out on the street for “failure to manage.”
  3. You can’t say “critical system,” and “no resources to update” in the same breath (look up the definition of “critical.”)

Why am I not in Information Technology anymore? Because I no longer want to argue with people about why they really and truly need to update systems in a timely fashion. Even if that costs time and money. Even if they haven’t done it that way in the past. Now I just sit back and shake my head at the insanity.

The people behind the 400,000+ vulnerable servers… They have a week or so to patch, before the zero-day is exploited and they are in the same position as Baltimore, or UK’s NHS or pick your favorite poster child for the lack of security. Some of them will update, most of them won’t, and then they will cry, like Baltimore, about how this is so unexpected.

People Haven’t Updated Systems in the Face of WannaCry…

I see no reason to believe that people will update to prevent this attack. Nearly 1 Million Computers Still Vulnerable to “Wormable” BlueKeep RDP Flaw.

Nearly 1 million Windows systems are still unpatched and have been found vulnerable to a recently disclosed critical, wormable, remote code execution vulnerability in the Windows Remote Desktop Protocol (RDP)—two weeks after Microsoft releases the security patch.

It’s been 2 years since WannaCry hit, and Microsoft issued patches 2 months before that. There are still people impacted by the errors patched in 2017.

Microsoft posted the patch on (or about) May 14th, and reminded everyone again on May 30th.

The people behind those million machines are hopeless.

Baltimore Wants You to Pay for Their Lack of Planing

Because even though they’ve been told for the past 4 years that they are doing things wrong, why should they be responsible for their actions. Baltimore calls for federal emergency declaration after cyber attack.

City council president wants the federal government to have a larger supporting role in helping the city recover from the attack that disabled computer systems and key citizen services.

This will tell every city, county and state that they don’t need to do anything about cyber security, because when bad things happen, and they will, the federal .gov will bail you out. Can you spell “blank check?”

What is happening in Baltimore isn’t a disaster. It is the completely predictable outcome of the way they have been managing information technology. Refusing to listen even to the people that they hired to fix the mess. I, for one, don’t want to pay for their stupidity. For details on that stupidity, see this link.

What’s the Cost of Poor Cyber Security?

It can be high. Norsk Hydro Q1 core profit plunges after cyber attack.

Norsk Hydro was hit by a ransomware attack in March of this year. (LockerGoga ransomware to be specific.) It had a tremendous impact on first quarter results.

Aluminium-maker Norsk Hydro , the victim of a cyber attack in March that paralysed its IT systems, posted an 82% drop in first-quarter core profits on Wednesday

Core profit dropped from just over 400 million US dollars to $64.3 million.

So do you think any of the folks in the executive suite will be called to account for why they decided to “save money” by not investing in security? I don’t.

For review of what happened at Norsk Hydro, what they did that was right, and what they did that wasn’t so good, see this link.