Burgerville’s data breach

At some point in 2017 or 2018, the restaurant chain Burgerville experienced a security breach. The only way Burgerville learned of the issue is when the FBI notified them on August 22 of this year. At first, it was seen as a “brief intrusion that no longer existed”. However by September 19, (almost a whole month later), the company realized that the breach was active, and was targeting customer’s financial information. Burgerville does not specify what kind of malware it was or where it was detected, though the source article adds that it could be at a point-of-sale system, where people physically swipe/scan/insert their cards.

Data that was stolen includes credit/debit card information: names, card numbers, expiration dates, and CVV security numbers. Burgerville also does not know how many people could have been affected by this, though they warn everyone who used cards from September 2017 through September 2018 to watch their accounts for false purchases. Anyone who used a card to purchase anything at any one of their locations during the last year can have their credit info compromised.

“This was a sophisticated attack in which the hackers effectively concealed all digital traces of where they have been,” states Burgerville. Although no direct evidence was given, the data breach is attributed to Fin7, also known as Carbanak group, another Eastern European hacking network that has successfully done cyberattacks on over 100 US companies.

In August, three Ukrainian members of Fin7 were arrested in Europe, where Fin7 is believed to operate. Despite the arrests, Fin7 is still actively deploying malware on corporate networks. According to the US Department of Justice, this is not the first time Fin7 has targeted a US restaurant chain. Other victims include Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin, and Jason’s Deli.

Although the chain made the initial mistake of underestimating the breach, they pulled in an external cybersecurity company to stop the breach, remove malware, and take preventative measures. “The operation had to be kept confidential until it was completed in order to prevent the hackers from creating additional covert pathways into the company’s network,” Burgerville said in a written statement. Burgerville completed the operation to seal the breach on September 30.

Source articles: 

https://www.zdnet.com/article/burgerville-customer-credit-card-info-stolen-in-data-breach-laid-at-fin7s-feet/

https://www.oregonlive.com/business/index.ssf/2018/10/burgerville_reports_major_cred.html

 

Michael Abdalov

Adult Sites Database Breached

 

In fairly recent news, eight adult websites had their databases breached and downloaded to a total file size of 98 megabytes. Now judging from that number, one could assume that this is not the most large-scale breach however it is still relevant. What was breached is as follows, IP addresses of users, hashed passwords, names and 1.2 million unique email addresses. Robert Angelini, the man behind it all claims that the figure is inaccurate as the website had only somewhere to the tune of 100k posts on it. The site has been since taken down for maintenance until the security vulnerability is fixed. He urges users to change their passwords. It is said that if the website cannot be secured then it will remain down forever.

Capture

This breach is compared to the breach of Ashley Madison in that the users could be blackmailed due to the nature of the website. The nature of the website of course being to post naked pictures of one’s spouse which is definitely of questionable ethics. The difference of course being the scale of the breach with Ashley Madison dumping 36 million users.

For those who have been breached, there are similar takeaways from other breaches, change your password and please don’t reuse passwords. Blackmail could be avoided by signing up for services like this with a disposable email account . Also, the password hashes that were dumped were hashed with Descrypt, a hash function created in 1979. A password hash posted to twitter by Troy Hung, the guy behind https://haveibeenpwned.com/ was cracked in 7 minutes by hashcat. In conclusion this illustrates the risks people may not know that they are putting themselves at by putting personal information on insecure websites.

– Loudon Mehling

https://arstechnica.com/information-technology/2018/10/hack-on-8-adult-websites-exposes-oodles-of-intimate-user-data/

 

 

Critical Flaws Found in Amazon FreeRTOS IoT Operating System

Link

A researcher has found large flaws in the leading Real-Time Operating System, FreeRTOS. This leaves a large number of Internet of Things devices vulnerable to attack. This affects devices from refrigerators to pacemakers. Last year, Amazon took over project management and upgraded the OS for their own Amazon FreeRTOS IoT operating system. They enhanced the OS for use with their own products in the future.

There are a total of 13 vulnerabilities in FreeRTOS’s TCP/IP stack, which affect the Amazon FreeRTOS as well. These issues let hackers do just about anything they want to the target device, from executing their own code to leaking memory information. The technical details of the flaws have not been revealed to the public in order to protect the development of a fix.

-Max Swank

First Internet of Things Security Laws Set for 2020 in California

California Governor Jerry Brown is the first governor to sign a bill to protect against the very prevalent cyber attacks on Internet of Things (IoT) devices. CNET tells:

The law mandates that any maker of an Internet-connected, or “smart,” device ensure the gadget has “reasonable” security features that “protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”

Since this bill is the first of its kind, it is expected that many other states will begin to follow California’s example and implement some sort of protection against IoT attacks. Although the bill requires manufacturers to assign a password to each device, many of the stipulations are non-specific, like many cyber laws. It is hard to be specific in a case like this, as attacks could easily find a loophole not covered within the bill. With a vague bill, it in a way could deter an attacker who knows the law could be translated in a number of ways to point to what he or she might have been doing as illegal.

This need of security was demonstrated most by the WannaCry ransomware attacks that hit hospitals across the nation. Hospitals have been increasingly using devices connected to their networks to aid in caring for patients. The attacks locked up devices that were in use, potentially threatening the lives of patients. An attack like this is more alarming than many ransomware attacks, as it takes the attacker’s morals (or in this case, lack of morals) into account more than other attacks.

The lack of security on IoT devices has desperately needed to be addressed, as over 8.4 billion IoT devices are out in the world on networks with little to no security. The law goes into effect at the beginning of 2020. California’s status as the most populated state in the U.S. is part of the reason the bill was signed into effect and is also the hope for cyber security experts to be influential in persuading others to join in the fight against attacks.

-Chevy Bolay

Iranian Hackers Steal Academic Research Papers From Over 70 Universities

By: Brent Burgess                                                                                                                9/18/201

Around three weeks ago SecureWorks, a cybersecurity research group, discovered a massive phishing scheme that has been recently targeting many universities. This phishing attack has targeted over 76 universities in 14 countries, including Australia, Canada, China, Israel, Japan, Switzerland, Turkey, the United Kingdom, and the United States. Most of these spoof sites had domains which attempted to replicate the universities’ library pages, getting access to accounts attempting to enter their library resources, and obtaining 31 terabytes of academic knowledge. When the information was entered, they were redirected to the actual university library site where they either were signed in or asked to repeat their credentials. The 16 domains were created between May and August of this year. Many of these stolen research papers were then sold by texting an encrypted message to WhatsApp or Telegram.

These phishing attacks were found to be perpetrated by the Cobalt Dickens hacking group which has been found to be closely associated with the Iranian government. In March of this year, the United States had indicted the Mabna hacking group and nine members in connection with the group. This group’s previous attacks appeared to have the same infrastructure as the Cobalt Dickens attacks, implying some of the same members were involved. These universities which create cutting-edge research are high priority targets due to the value of their information presents as well as the difficulty of securing them. This hack has taken place shortly after the United States decided to re-establish economic sanctions with the United States implying a potential political motivation.

“This widespread spoofing of login pages to steal credentials reinforces the need for organizations to incorporate multi-factor authentication using secure protocols and          implement complex password requirements on publicly accessible systems.”                  -SecureWorks

Sources:

https://www.zdnet.com/article/iran-hackers-target-70-universities-in-14-countries/ https://www.express.co.uk/news/world/1017903/US-sanctions-Iran-hackers-nuclear-power-cybersecurity-donald-trump/                                    https://www.securityweek.com/iranian-hackers-target-universities-large-attack-campaign-secureworks                                                https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities