Infosec Round-Up Nov 26th

This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.

GoDaddy Password Hack

The American domain registrar and web hosting company GoDaddy has this week disclosed a data breach affecting around 1.2 million customers and multiple Managed WordPress service resellers.

With an attacker initially gaining access via a compromised password in early September, the breach was discovered on November 17th, giving the hacker two months of access to the company’s managed WordPress hosting environment.

Adding insult to injury, it is also being reported that GoDaddy was storing credentials as either plaintext, or in a format that could be reversed into plaintext, rather than in a hashed format that would help protect the information in case of an incident such as a breach.

Demetrius Comes, GoDaddy's Chief Information Security Officer has stated on the incident: “An unauthorized third party accessed the provisioning system in our legacy code base for Managed WordPress… We are sincerely sorry for this incident and the concern it causes for our customers.”

Adding, “We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection.”

UK Bans Weak Default Passwords

As part of the new Product Security and Telecommunications Infrastructure (PSTI) Bill, the UK has moved to ban companies from selling devices preloaded with ‘easy-to-guess’ default passwords in a bid to improve overall consumer security standards.

Introduced this week, the bill additionally requires customers to be informed of the minimum time the device will receive vital security updates and patches, as well as offering security researchers a public point of contact to register flaws and bugs.

Covering a range of devices, including smartphones, routers, security cameras, and games consoles, the soon to be appointed regulator will also have the power to fine companies up to £10m or 4% of their global turnover, as well as up to £20,000 a day for ongoing contraventions.

Julia Lopez, minister for media, data and digital infrastructure, has stated, “Every day hackers attempt to break into people's smart devices. Most of us assume if a product is for sale, it's safe and secure. Yet many are not, putting too many of us at risk of fraud and theft… [this] bill will put a firewall around everyday tech from phones and thermostats to dishwashers, baby monitors and doorbells, and see huge fines for those who fall foul of tough new security standards.”

Apple Sues NSO Group

American technology company Apple has announced it is suing the Israeli spyware firm NSO Group in an attempt to “hold it accountable for the surveillance and targeting of Apple users”.

Pegasus, which was the software developed by NSO Group, allowed operators to extract messages, photos and emails, as well as secretly activate and record microphone and camera data, was termed in the Apple announcement as “sophisticated, state-sponsored surveillance technology.”

Following a 2019 WhatsApp lawsuit against NSO Group, which is still ongoing, Apple also announced that it will be donating $10 million, as well as any funds recovered in the lawsuit, to security research groups, including Citizen Lab who first discovered NSO's attacks.

In the blog post, Apple has stated on the legal matter, “[this] lawsuit seeks to ban NSO Group from further harming individuals by using Apple’s products and services. The lawsuit also seeks redress for NSO Group’s flagrant violations of US federal and state law, arising out of its efforts to target and attack Apple and its users.”

Thank you for reading this edition of Infosec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.